Analysis
-
max time kernel
119s -
max time network
35s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe
Resource
win10v20201028
General
-
Target
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe
-
Size
69KB
-
MD5
4e59fba21c5e9ec603f28a92d9efd8d0
-
SHA1
e57731be1f15c323a7b55b914a0599722ff3985f
-
SHA256
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77
-
SHA512
80c0a9a8e0ef48c7ca23136cf84eaab568f5dc261ecd348916a382098d8ffa24144637afda5c0649886f2484e8855c6a16c34b0b1c2fe008480a1d035f8dab65
Malware Config
Extracted
C:\Users\Public\Libraries\2D8AA1-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Microsoft Office\Document Themes 14\2D8AA1-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\TestWrite.tiff 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File renamed C:\Users\Admin\Pictures\TestWrite.tiff => C:\Users\Admin\Pictures\TestWrite.tiff.2d8aa1 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File renamed C:\Users\Admin\Pictures\UnpublishUnregister.tif => C:\Users\Admin\Pictures\UnpublishUnregister.tif.2d8aa1 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File renamed C:\Users\Admin\Pictures\LockWatch.tif => C:\Users\Admin\Pictures\LockWatch.tif.2d8aa1 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File renamed C:\Users\Admin\Pictures\SelectUse.crw => C:\Users\Admin\Pictures\SelectUse.crw.2d8aa1 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 6056 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 7483 IoCs
Processes:
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152898.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunec.jar 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\2D8AA1-Readme.txt 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14580_.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeFax.Dotx 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3EN.LEX 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File created C:\Program Files\Google\Chrome\Application\86.0.4240.111\Extensions\2D8AA1-Readme.txt 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8B.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\2D8AA1-Readme.txt 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\SubmitConnect.mp2v 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\2D8AA1-Readme.txt 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN058.XML 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05710_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00407_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\2D8AA1-Readme.txt 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4F.GIF 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1904 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 6792 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 17625 IoCs
Processes:
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exepid process 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe Token: SeImpersonatePrivilege 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe Token: SeBackupPrivilege 7852 vssvc.exe Token: SeRestorePrivilege 7852 vssvc.exe Token: SeAuditPrivilege 7852 vssvc.exe Token: SeDebugPrivilege 6792 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.execmd.exedescription pid process target process PID 1732 wrote to memory of 1904 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe vssadmin.exe PID 1732 wrote to memory of 1904 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe vssadmin.exe PID 1732 wrote to memory of 1904 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe vssadmin.exe PID 1732 wrote to memory of 1904 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe vssadmin.exe PID 1732 wrote to memory of 6012 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe notepad.exe PID 1732 wrote to memory of 6012 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe notepad.exe PID 1732 wrote to memory of 6012 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe notepad.exe PID 1732 wrote to memory of 6012 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe notepad.exe PID 1732 wrote to memory of 6056 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe cmd.exe PID 1732 wrote to memory of 6056 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe cmd.exe PID 1732 wrote to memory of 6056 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe cmd.exe PID 1732 wrote to memory of 6056 1732 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe cmd.exe PID 6056 wrote to memory of 6792 6056 cmd.exe taskkill.exe PID 6056 wrote to memory of 6792 6056 cmd.exe taskkill.exe PID 6056 wrote to memory of 6792 6056 cmd.exe taskkill.exe PID 6056 wrote to memory of 6792 6056 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe"C:\Users\Admin\AppData\Local\Temp\02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\2D8AA1-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\EC90.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 17323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EC90.tmp.batMD5
ae66f6eb5838f83fa61f66bdb13e23ea
SHA1806e6a21fca3ef22516647ad24c4aa7835802239
SHA2562d9d8e49d3b7318aa1b0dc00a58c4b9b4cdc79e5eeee6076191b719511e15307
SHA512e119c44f8ce27ebebe398cee152bd03319cc6619d52aa74d73df417bdde15e3155f7a3f0b5630f3fe98fa4b33fecf964a201214721770e22568c3d0d47b69d1b
-
C:\Users\Admin\Desktop\2D8AA1-Readme.txtMD5
04c710de8fde3fe7b0784830315d8f14
SHA177d45a64608a6d434e6d9828730fc28b923fc043
SHA256854cbfc7094e760eb0bbd2f5264e10f5b9e29d41bdf2d281b0caa746343b3203
SHA512295d9b434d5829805f6a8e52edb497ad42ca80b6efebfc288f1935742391f95fb898c8889eb45cb23fba8bda4361d19ea587b76a5c348911dd84b09e4055f5eb
-
memory/1904-0-0x0000000000000000-mapping.dmp
-
memory/6012-4-0x0000000000000000-mapping.dmp
-
memory/6056-7-0x0000000000000000-mapping.dmp
-
memory/6792-12-0x0000000000000000-mapping.dmp