Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19-10-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
the.ps1
Resource
win7v200722
Behavioral task
behavioral2
Sample
the.ps1
Resource
win10v200722
General
-
Target
the.ps1
-
Size
902KB
-
MD5
7770c598848339cf3562b7480856d584
-
SHA1
b3d39042aab832b7d2bed732c8b8e600a4cf5197
-
SHA256
ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
-
SHA512
02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
Malware Config
Extracted
C:\Recovery\WindowsRE\5018E2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\5018E2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\5018E2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\5018E2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\5018E2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\5018E2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Users\Admin\Pictures\RedoHide.tiff Explorer.EXE File opened for modification C:\Users\Admin\Pictures\ResolveFind.tiff Explorer.EXE File renamed C:\Users\Admin\Pictures\GrantProtect.png => C:\Users\Admin\Pictures\GrantProtect.png.5018e2 Explorer.EXE File renamed C:\Users\Admin\Pictures\CheckpointSuspend.png => C:\Users\Admin\Pictures\CheckpointSuspend.png.5018e2 Explorer.EXE File renamed C:\Users\Admin\Pictures\ExportSwitch.png => C:\Users\Admin\Pictures\ExportSwitch.png.5018e2 Explorer.EXE File opened for modification C:\Users\Admin\Pictures\LockBackup.tiff Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 17109 IoCs
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\aw_16x11.png Explorer.EXE File opened for modification C:\Program Files\LimitUse.i64 Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\Xbox-press.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-fullcolor.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar Explorer.EXE File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-32.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-200.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\index.html Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Control_1.jpg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_RTL_Tablet.mp4 Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LightBlue.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\klondike_icon.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\AppxSignature.p7x Explorer.EXE File created C:\Program Files\Microsoft Office\root\rsod\5018E2-Readme.txt Explorer.EXE File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_OwlEye.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shuttle.3mf Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\e913861faf354041fb8373917419.5018e2 Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZX______.PFB Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1s.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-200.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-125.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteAudio_RecordingPlayback.gif Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_altform-unplated_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\al_60x42.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Print.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\CardBack3.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\5018E2-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 40715 IoCs
Processes:
powershell.exeExplorer.EXEpid process 3984 powershell.exe 3984 powershell.exe 3984 powershell.exe 3984 powershell.exe 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE 3060 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exeExplorer.EXEvssvc.exedescription pid process Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 3060 Explorer.EXE Token: SeImpersonatePrivilege 3060 Explorer.EXE Token: SeBackupPrivilege 5936 vssvc.exe Token: SeRestorePrivilege 5936 vssvc.exe Token: SeAuditPrivilege 5936 vssvc.exe Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
powershell.execsc.execsc.exeExplorer.EXEdescription pid process target process PID 3984 wrote to memory of 3932 3984 powershell.exe csc.exe PID 3984 wrote to memory of 3932 3984 powershell.exe csc.exe PID 3932 wrote to memory of 4020 3932 csc.exe cvtres.exe PID 3932 wrote to memory of 4020 3932 csc.exe cvtres.exe PID 3984 wrote to memory of 3040 3984 powershell.exe csc.exe PID 3984 wrote to memory of 3040 3984 powershell.exe csc.exe PID 3040 wrote to memory of 3468 3040 csc.exe cvtres.exe PID 3040 wrote to memory of 3468 3040 csc.exe cvtres.exe PID 3984 wrote to memory of 3060 3984 powershell.exe Explorer.EXE PID 3060 wrote to memory of 1936 3060 Explorer.EXE notepad.exe PID 3060 wrote to memory of 1936 3060 Explorer.EXE notepad.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\the.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbbofhrk\hbbofhrk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2A7.tmp" "c:\Users\Admin\AppData\Local\Temp\hbbofhrk\CSC12B6E847FBBC49AEA826E0A488DF3C5E.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtwstjzv\vtwstjzv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA39.tmp" "c:\Users\Admin\AppData\Local\Temp\vtwstjzv\CSCF099FFB18A4B421495959F8BAD1C9EF.TMP"4⤵
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\5018E2-Readme.txt"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESD2A7.tmpMD5
ad5729a71498f2fa57d9efa07a5bcbbf
SHA1cd7215b7f154258d48a167d1e4e39e64d76eff62
SHA2569f0b4bb90da4cbe0407959b407c40ff8ab56e279164abc8f44371108e6ba8f3e
SHA5128af6fa5bfa966c9fffea7d7627095d10a73264f5cb62e4dafb1fc006504a848362d44811f576c3e795226d7957ba69dbc53dcc49f531e9135fe6aa8159035d2b
-
C:\Users\Admin\AppData\Local\Temp\RESDA39.tmpMD5
3421634da72dc53a8dca2ef8e0866a1c
SHA199c324d7efce7bcb2ac48d538d75e8074588bd04
SHA256c3c5e5dee9822204f0168c6b178a1254597db7aa72373de5da77bdfb70098ea5
SHA512dce009609b5a5c4fa3f84e664e26a2007c77d1870d08b14f831b80a119e04114257da86cfa2567a29aadc1c1cf3f56cb39b65297a44de1f607c66a8548f7d6cd
-
C:\Users\Admin\AppData\Local\Temp\hbbofhrk\hbbofhrk.dllMD5
2dc3515173a01d9690e56d90b5918c96
SHA171298af0559780750914623a998d6aa9a238177b
SHA256f4748f65f9e103826274b253dc105caacf863c4b9fdbc9b0e76aacdd101773b9
SHA512c57336d684b004bd29c3ab51a7706cd19340f0cdd9713509a98218d950e8a33074b2ec32fc8adc38526ad0cfef8807ee54b90de49c452efe7b4ba296fabd9b41
-
C:\Users\Admin\AppData\Local\Temp\vtwstjzv\vtwstjzv.dllMD5
67cf69b1585ff91956ac9576c05e08b5
SHA1fc36058175e12187947d521e19d62e87f921855a
SHA256af80e17e71de8c4517e6067fe8b785c1e6d50a913c8ae999d598e408f2b05819
SHA5129c8e3323a121124f9e134bfa99192b6d2015f74f9f69682e15f236849868d55691c91055ddcb30e8b8a5e118548660716f5722a678f407ccb7a0694fa23c3bba
-
C:\Users\Admin\Desktop\5018E2-Readme.txtMD5
eb74980c7bf03a349c22cccd6e7c8682
SHA13ef13325a21bf364704151d1e40c24111a07701d
SHA2562a1ec3eb656a50ea7be8f1a057c1317e2003021f92dd8997f265953312c0ca50
SHA51257381bb6c01697acbae01f2a444784a84ed83739f277543f08b2a8130896fcc07a563dbc29511481435aa5ba4bd7c3847333913e56708c78ac7ae256e3a17b2f
-
\??\c:\Users\Admin\AppData\Local\Temp\hbbofhrk\CSC12B6E847FBBC49AEA826E0A488DF3C5E.TMPMD5
866148646ae02eb4c9a38c3b7da72481
SHA1a6781fe6e83c19f5c95366386d7e5450567540be
SHA256996e8e3d68a5efaddcb559a573c6e9620f583891b73569726ca4b75508489a82
SHA512c25482bebd3da5d0b368ae04dcf275d2ed4466cd2429f1e505a18acdbf3fceef28ee148b8bf825bc25ee1d2b677c1976c802436ac0ebefc1fb64be5a60bb6d16
-
\??\c:\Users\Admin\AppData\Local\Temp\hbbofhrk\hbbofhrk.0.csMD5
64db54f88f46e2ecc57b05a25966da8e
SHA1488dbbbab872714609ded38db924d38971a3685f
SHA256e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5
SHA5128791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729
-
\??\c:\Users\Admin\AppData\Local\Temp\hbbofhrk\hbbofhrk.cmdlineMD5
557650a09e89aa8eabc1e6c5f8550eb1
SHA114ca5bc7071dbcecc52b4b029a5552417c413c60
SHA256291d855e9e30c87be01dee911ecaa673923e21dc60710f6fb8099a175a504fb4
SHA5120ef30a7209ae5b80d81f51a26bc1279d36843a3250695f318882cc6b11bf9b09504c6836fdaa6d5167baceb3ad0b4549d26537c40b9ada6a3b6171e6892cb671
-
\??\c:\Users\Admin\AppData\Local\Temp\vtwstjzv\CSCF099FFB18A4B421495959F8BAD1C9EF.TMPMD5
0df12bad937dc8a03c6e3a274bb516d0
SHA141a5edeef68a58a8f1662629569ee0b164d5a70d
SHA25653399bfef6b0efdd8c4af2cbe89bca4f17d89ebc9546f8b982c3221166ff3727
SHA5122f81a57f9d857604dcefa2a2bbd42f99ffc9eb171daa24a9f0e6627ef62ae8f90b306d9e0d803ab390c6f578d8a6bc31ad96c4c12a3fdf4c652ddd3f51e6c4c3
-
\??\c:\Users\Admin\AppData\Local\Temp\vtwstjzv\vtwstjzv.0.csMD5
1cae52936facd4972987d3baef367d8d
SHA1ad2b4b58d20f290b9da416cef1ef305cf1df6781
SHA25628b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400
SHA5124ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df
-
\??\c:\Users\Admin\AppData\Local\Temp\vtwstjzv\vtwstjzv.cmdlineMD5
b55e24fc79ad82baaa09ae436821efce
SHA10392d4e2a9eaaf87f59f394ed3bf7dd1d26e0470
SHA256c193b840240a60b605af44a0d224eb98319d4e9f043e6316a38a3599c0cb50a8
SHA512dfd676c338142471aba87696a61d480cd471984708126deecba9e95f3b4d54057ebad6867ce8e50c9c4f53b951ab8efd9f9ffba626e1f3fd31c8103b7a8d8fc1
-
memory/1936-20-0x0000000000000000-mapping.dmp
-
memory/3040-11-0x0000000000000000-mapping.dmp
-
memory/3060-19-0x00000000006E0000-0x0000000000702000-memory.dmpFilesize
136KB
-
memory/3468-14-0x0000000000000000-mapping.dmp
-
memory/3932-3-0x0000000000000000-mapping.dmp
-
memory/3984-0-0x00007FFF4EA20000-0x00007FFF4F40C000-memory.dmpFilesize
9.9MB
-
memory/3984-2-0x000001C678C90000-0x000001C678C91000-memory.dmpFilesize
4KB
-
memory/3984-18-0x000001C678C40000-0x000001C678C42000-memory.dmpFilesize
8KB
-
memory/3984-10-0x000001C678C20000-0x000001C678C22000-memory.dmpFilesize
8KB
-
memory/3984-1-0x000001C65E6A0000-0x000001C65E6A1000-memory.dmpFilesize
4KB
-
memory/4020-6-0x0000000000000000-mapping.dmp