Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 08:05
Static task
static1
Behavioral task
behavioral1
Sample
skyfall_user wilsonk_wilsonk_ste.txt.ps1
Resource
win7
Behavioral task
behavioral2
Sample
skyfall_user wilsonk_wilsonk_ste.txt.ps1
Resource
win10
General
-
Target
skyfall_user wilsonk_wilsonk_ste.txt.ps1
-
Size
903KB
-
MD5
819c083652fb851efcd0454ae9ecae14
-
SHA1
c440ab6e70fc6d2dff7f7b3478b03a99672d062f
-
SHA256
1a387a66d0ae9f0aabeb33f46856fcd8d7621d210d87494f696b831f94537f1b
-
SHA512
3caee374a5ef95453c785afe148d8ec54eaf1136306163c4c9e4352e8a410f05d7759d02ff689298333cfe5b57bc1464a935a9cece336bc328d5edf99cd0bb51
Malware Config
Extracted
C:\5CBD01-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\5CBD01-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\5CBD01-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterSync.tiff Explorer.EXE File renamed C:\Users\Admin\Pictures\UnprotectOptimize.png => C:\Users\Admin\Pictures\UnprotectOptimize.png.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\MergeLock.png => C:\Users\Admin\Pictures\MergeLock.png.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\EnterSync.tiff => C:\Users\Admin\Pictures\EnterSync.tiff.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\OpenUse.png => C:\Users\Admin\Pictures\OpenUse.png.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\UndoLock.png => C:\Users\Admin\Pictures\UndoLock.png.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\CompareFormat.crw => C:\Users\Admin\Pictures\CompareFormat.crw.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\InstallWrite.png => C:\Users\Admin\Pictures\InstallWrite.png.5cbd01 Explorer.EXE File renamed C:\Users\Admin\Pictures\SwitchSearch.crw => C:\Users\Admin\Pictures\SwitchSearch.crw.5cbd01 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 17189 IoCs
Processes:
Explorer.EXEdescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bh_16x11.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg Explorer.EXE File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\rt.jar Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Bing.Immersive\Shaders\SimpleCubeShader-downlevel.vs Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-32.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\WideTile.scale-125.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\dog.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2875_32x32x32.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_PT-PT.respack Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectSmallTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\weatherdotcom.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_FilledDot_White@1x.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\5CBD01-Readme.txt Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\3.rsrc Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf Explorer.EXE File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-white.png Explorer.EXE File created C:\Program Files\Microsoft Office\root\vfs\System\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-100.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms Explorer.EXE File created C:\Program Files\Microsoft Office\root\Office15\5CBD01-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Preview\RelivePreviewControl.xaml Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ke_60x42.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\ruleset_en-US_TTS.lua Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-200.png Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-125.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-150.png Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 32894 IoCs
Processes:
powershell.exeExplorer.EXEpid process 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE 2944 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exeExplorer.EXEvssvc.exedescription pid process Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2944 Explorer.EXE Token: SeImpersonatePrivilege 2944 Explorer.EXE Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeShutdownPrivilege 2944 Explorer.EXE Token: SeCreatePagefilePrivilege 2944 Explorer.EXE Token: SeShutdownPrivilege 2944 Explorer.EXE Token: SeCreatePagefilePrivilege 2944 Explorer.EXE Token: SeShutdownPrivilege 2944 Explorer.EXE Token: SeCreatePagefilePrivilege 2944 Explorer.EXE Token: SeShutdownPrivilege 2944 Explorer.EXE Token: SeCreatePagefilePrivilege 2944 Explorer.EXE Token: SeShutdownPrivilege 2944 Explorer.EXE Token: SeCreatePagefilePrivilege 2944 Explorer.EXE Token: SeShutdownPrivilege 2944 Explorer.EXE Token: SeCreatePagefilePrivilege 2944 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
powershell.execsc.execsc.exeExplorer.EXEdescription pid process target process PID 2172 wrote to memory of 2312 2172 powershell.exe csc.exe PID 2172 wrote to memory of 2312 2172 powershell.exe csc.exe PID 2312 wrote to memory of 2556 2312 csc.exe cvtres.exe PID 2312 wrote to memory of 2556 2312 csc.exe cvtres.exe PID 2172 wrote to memory of 3640 2172 powershell.exe csc.exe PID 2172 wrote to memory of 3640 2172 powershell.exe csc.exe PID 3640 wrote to memory of 184 3640 csc.exe cvtres.exe PID 3640 wrote to memory of 184 3640 csc.exe cvtres.exe PID 2172 wrote to memory of 2944 2172 powershell.exe Explorer.EXE PID 2944 wrote to memory of 5140 2944 Explorer.EXE notepad.exe PID 2944 wrote to memory of 5140 2944 Explorer.EXE notepad.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\skyfall_user wilsonk_wilsonk_ste.txt.ps1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrlerdz4\rrlerdz4.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CF1.tmp" "c:\Users\Admin\AppData\Local\Temp\rrlerdz4\CSC297A4DFDC8654DD6B9B0C3AF8F13DBC4.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psmt24e1\psmt24e1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31E3.tmp" "c:\Users\Admin\AppData\Local\Temp\psmt24e1\CSCD7916F1960554135943BFA7D3BEFFFA6.TMP"4⤵
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\5CBD01-Readme.txt"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES2CF1.tmpMD5
f68ce1cb4c1fb01edbec57c31179f149
SHA17eb8587d266e78ec7563ebaa0eb2838fc62ab3ec
SHA256b77807e716c77faa3ab112ee0180f1477e55c9db39dacb774bcd744ee5c01813
SHA5120aca10aecd1c1a41642896a9bacfb218dc7603eb019360953a5f7d6c67c16d28f3204cf4335080a65295ba2a67a800441fb504069944b623ceebcd85d2303cb9
-
C:\Users\Admin\AppData\Local\Temp\RES31E3.tmpMD5
cf2cc7e50a75e88fe153b176c83794ee
SHA19c213474163a98538e17a186f7e2db3d181e82c1
SHA256d46b449ff3a65c5d2f9bd96a4cff11541888061d84a30385c87c75ba70ef8dae
SHA5122a542900441b2eaa94dced253eb8ab15f2db1e85c2e6b119ff2aba4712028cd5c6790587e933a0cffa41ca9c5af601657126f94eb5fb5d22ee65755482a7886c
-
C:\Users\Admin\AppData\Local\Temp\psmt24e1\psmt24e1.dllMD5
0291f158ad62308aaa8e8ba518db7b24
SHA1ebaef93f50b874cc313d3e7070ea0eec8c602969
SHA2569e19cce3e567a797f687c3e09101bf731bb624ae3a1fe4afd5fe38e4b9c10c92
SHA51204bbe4e82b1ab191c10dd4fa9c841061e8453af16aefe8d2a96515aa9fc1029d00cbe819c165f4ae34a45d23ef8bedc02ae65e699475547e57204ecaae558713
-
C:\Users\Admin\AppData\Local\Temp\rrlerdz4\rrlerdz4.dllMD5
bc3b086144840acddc62910fa67b6b9a
SHA1a5da9f292f8bd2c1734b825ebc43950f95066fd1
SHA25602441ca60ddbe123c6bc216b88d0f522b9bbcd774f0273213233a1a32ab2ff06
SHA512a2dcd9dc2bfbf7f9854f097e6d82369bd5ef6a8ac18828901e4dbc3dd6de2fdeab7f42c2c9544db21725553054d3dea205c7d8af329c94f79605bd41cd489c54
-
C:\Users\Admin\Desktop\5CBD01-Readme.txtMD5
ca782e7d77ebb370a1070e9a3d9d4418
SHA169a84e3287a3444469c3f314319f043b49a37426
SHA25626396f4a4b544501ef43d0be1b5344a3540554019d7db962a0eeede4d5cfc6ad
SHA5122ef9073a27ffa37377bba1103fde2f3a6df8fd9ecac154f21d37faa5ef958d63daac33adba51f4a972d97670be59d436b751cad30dc34000f673eddb95a60c35
-
\??\c:\Users\Admin\AppData\Local\Temp\psmt24e1\CSCD7916F1960554135943BFA7D3BEFFFA6.TMPMD5
3bcccda2083ba2a384685f16c0067899
SHA1670e47270f9c0f2d0bc6eb632ee88d02947edfd5
SHA2561e6808207d114554cbfda48b50f760db802af97262ca8711937af9d96b7299c3
SHA512290c715b67d7061a4bb4bbe3534d2fbdfab3811c180d4f25a3992808c7b4cb12068cf21275d875792df5b7c84260263221eb4b0b0bb8f8310b7a9410c35e8bd2
-
\??\c:\Users\Admin\AppData\Local\Temp\psmt24e1\psmt24e1.0.csMD5
9c660f9090f1af99c41e8c233fad505a
SHA19d8bfb8f1118477e78d020d2afd32875ea68f898
SHA25677a4cfc93d8aebcd9ef51542d336761f9480df1ccbdc3441c4d4ad4b1e671051
SHA5127f9ec2cc4953c2a1d4c289e47a9619497c0d84c87701054da869493a6bc61b26468576d044ac1d383502cdaea364fdc40415d881beb2e34b319cec19c721a360
-
\??\c:\Users\Admin\AppData\Local\Temp\psmt24e1\psmt24e1.cmdlineMD5
e92534726522041c8192617d5ca4046e
SHA109bfd5c708dca79d00855aff59c7bedeb3a18b77
SHA256924f122eade32bae476dbcc1d297117da277c717bd9a920141e44cc5fcb54f1b
SHA51203fa8720630760c23e71e986c33e0bff288fdc07e87716fa161fba80841de0803be3c59bf87b7c3a0618af04d95a7a61dfa12e3ec0ff7afb973c6b1ce19630ab
-
\??\c:\Users\Admin\AppData\Local\Temp\rrlerdz4\CSC297A4DFDC8654DD6B9B0C3AF8F13DBC4.TMPMD5
a7940504b171fc4ca43c0c618f849fff
SHA1c62c7244c86d79167fb2961b7b12e5952295b533
SHA25688280d38411f420e46a8f7b87f1427cef9f66f7e321b56dbf44f9fe935d9b7d6
SHA512b1675c4e6c28ad5eda2adf576f9882c10e671dc883819f76f8fd3e53155a3cc03c55513d3fe4e878857299fc7dee1abee4417ac5f4d0736684ce780d5cb2f8f6
-
\??\c:\Users\Admin\AppData\Local\Temp\rrlerdz4\rrlerdz4.0.csMD5
79349a963ce9941dd07c2edaa0f9d7aa
SHA19d3a3d9e9b9711dcb992cfbc580640e4ebe24a20
SHA256b105386d21df7c708c2004acf984e928a7f2ed577f64bbec10ef7ca644dac484
SHA512a7cf356b78d83544f3e539bc81f7392d7ac05ab6e4c4e18a3ba05bfe827a7ee991d8f40e658edb3db02d2876335b5f7d5ca0896debdaaa62b094872f4caeb59c
-
\??\c:\Users\Admin\AppData\Local\Temp\rrlerdz4\rrlerdz4.cmdlineMD5
9efd485b852ad8102f1d7e789cd7a187
SHA14d811c78037a1c30424feb33bc4fd4fcb485410c
SHA256c3f9b0ca0b0e088eb10d525d1dd5890f73b87386b04a08ca149ed4db031548a0
SHA5124513bf2112be8d8aad909824a5d69a10395fa1b45232bd19cb10bfe8617675983034a80ef542de48de03da60d74790d4c7b9682dd2c603d824e4f685eaa0184b
-
memory/184-14-0x0000000000000000-mapping.dmp
-
memory/2172-10-0x000002A3CDA60000-0x000002A3CDA62000-memory.dmpFilesize
8KB
-
memory/2172-0-0x00007FF84A800000-0x00007FF84B1EC000-memory.dmpFilesize
9.9MB
-
memory/2172-2-0x000002A3E8140000-0x000002A3E8141000-memory.dmpFilesize
4KB
-
memory/2172-18-0x000002A3CDA80000-0x000002A3CDA82000-memory.dmpFilesize
8KB
-
memory/2172-1-0x000002A3CDA20000-0x000002A3CDA21000-memory.dmpFilesize
4KB
-
memory/2312-3-0x0000000000000000-mapping.dmp
-
memory/2556-6-0x0000000000000000-mapping.dmp
-
memory/2944-19-0x0000000000650000-0x0000000000672000-memory.dmpFilesize
136KB
-
memory/3640-11-0x0000000000000000-mapping.dmp
-
memory/5140-20-0x0000000000000000-mapping.dmp