Analysis
-
max time kernel
122s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe
Resource
win10v20201028
General
-
Target
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe
-
Size
69KB
-
MD5
729928e6fd6adafdd0a7fe876701bd7e
-
SHA1
0aa73a466c599b0b2c6e60f0aa0676b9bf6741c7
-
SHA256
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf
-
SHA512
ebb5b53b5f4b6a3fcf7b7b19b4b7f657f0a03268223d6fd1209e2e4b9d837a8aa3a8ce79ab64a2a843c120cec366d4191f1e0452529d8360ed0ee06c0c75445e
Malware Config
Extracted
C:\Users\Public\Libraries\F12A68-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\AppData\Roaming\F12A68-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\F12A68-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exedescription ioc process File renamed C:\Users\Admin\Pictures\StepComplete.tif => C:\Users\Admin\Pictures\StepComplete.tif.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\JoinUse.raw => C:\Users\Admin\Pictures\JoinUse.raw.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\ReceiveEnter.tiff => C:\Users\Admin\Pictures\ReceiveEnter.tiff.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Users\Admin\Pictures\ReceiveEnter.tiff 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\RedoRead.tif => C:\Users\Admin\Pictures\RedoRead.tif.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\SetOut.crw => C:\Users\Admin\Pictures\SetOut.crw.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\UnpublishReceive.tif => C:\Users\Admin\Pictures\UnpublishReceive.tif.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\AddRegister.crw => C:\Users\Admin\Pictures\AddRegister.crw.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\SplitRegister.crw => C:\Users\Admin\Pictures\SplitRegister.crw.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\EnterGroup.crw => C:\Users\Admin\Pictures\EnterGroup.crw.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File renamed C:\Users\Admin\Pictures\RequestRegister.crw => C:\Users\Admin\Pictures\RequestRegister.crw.f12a68 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 6124 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 7480 IoCs
Processes:
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14833_.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36F.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153093.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6F.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\F12A68-Readme.txt 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_OFF.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Almaty 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105386.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292286.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\F12A68-Readme.txt 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01293_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\F12A68-Readme.txt 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00395_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\F12A68-Readme.txt 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Origin.eftx 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Sign.xsn 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1680 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 7612 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 17119 IoCs
Processes:
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exepid process 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe Token: SeImpersonatePrivilege 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe Token: SeDebugPrivilege 7612 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.execmd.exedescription pid process target process PID 1072 wrote to memory of 1680 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe vssadmin.exe PID 1072 wrote to memory of 1680 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe vssadmin.exe PID 1072 wrote to memory of 1680 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe vssadmin.exe PID 1072 wrote to memory of 1680 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe vssadmin.exe PID 1072 wrote to memory of 1208 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe notepad.exe PID 1072 wrote to memory of 1208 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe notepad.exe PID 1072 wrote to memory of 1208 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe notepad.exe PID 1072 wrote to memory of 1208 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe notepad.exe PID 1072 wrote to memory of 6124 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe cmd.exe PID 1072 wrote to memory of 6124 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe cmd.exe PID 1072 wrote to memory of 6124 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe cmd.exe PID 1072 wrote to memory of 6124 1072 4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe cmd.exe PID 6124 wrote to memory of 7612 6124 cmd.exe taskkill.exe PID 6124 wrote to memory of 7612 6124 cmd.exe taskkill.exe PID 6124 wrote to memory of 7612 6124 cmd.exe taskkill.exe PID 6124 wrote to memory of 7612 6124 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe"C:\Users\Admin\AppData\Local\Temp\4abf2d4b604ad5c3dca0006e9762562ea104e76e7c0dcfa8fddafda8b11b2eaf.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F12A68-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\EE55.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 10723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EE55.tmp.batMD5
62977c18034c68d0dab3f3f8eeae4446
SHA15f684218d7e88e6c51f02680e0257ec7ae4bc8c1
SHA256e91e54b0ff36951474fa4b46121233d092c028b7f517b462357447843d29da30
SHA512402384f53452916fdab4ace1cb4b5bb1a9b41361033cd9bba232e1a0ebbb5521945c86e785539c96c1e4a64184bb72d0eb9848bc5399e8f44226f7bbc9d2f430
-
C:\Users\Admin\Desktop\F12A68-Readme.txtMD5
074f6539470f0aad056bebbbdeb67b06
SHA1bc7fbacb5b864c1079f6f5aa8710e7671a7e8b1d
SHA256c4848ae66cc37112f351ae7e838705149e1a01e71e176715d79b066d7dbb7997
SHA51293aa3a21a258585febc51ab3d3cc44d3a6e2ee5c46835345178b0b74a32355790f8fa618376d74d06a981cd3716860b73e4606b25e01bfcaeb8f1af19a061f68
-
memory/1208-5-0x0000000000000000-mapping.dmp
-
memory/1680-0-0x0000000000000000-mapping.dmp
-
memory/6124-10-0x0000000000000000-mapping.dmp
-
memory/7612-15-0x0000000000000000-mapping.dmp