Analysis
-
max time kernel
154s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe
Resource
win10v20201028
General
-
Target
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe
-
Size
69KB
-
MD5
c0dda75c6eae48a26383f54052e48ebc
-
SHA1
3c4d317985bba081ffef4dce41150842ec6be08d
-
SHA256
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2
-
SHA512
9909e1b47ba89b5efe2c03394912cf9504b1f7601e6d2905839e7901ffa8c586c25a140242d4e7fc8626827c8153e4f0c7a878a1d0690c45872ebcee14331efb
Malware Config
Extracted
C:\Program Files\Google\Chrome\Application\FECFC2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Desktop\FECFC2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitFind.tif => C:\Users\Admin\Pictures\WaitFind.tif.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\CompressStop.tif => C:\Users\Admin\Pictures\CompressStop.tif.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\SetConvertFrom.raw => C:\Users\Admin\Pictures\SetConvertFrom.raw.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\RemoveStop.tiff => C:\Users\Admin\Pictures\RemoveStop.tiff.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Users\Admin\Pictures\BackupInvoke.tiff 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveStop.tiff 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\UninstallReceive.raw => C:\Users\Admin\Pictures\UninstallReceive.raw.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\PushMount.crw => C:\Users\Admin\Pictures\PushMount.crw.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File renamed C:\Users\Admin\Pictures\BackupInvoke.tiff => C:\Users\Admin\Pictures\BackupInvoke.tiff.fecfc2 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 3490 IoCs
Processes:
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART15.BDR 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\FECFC2-Readme.txt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Couture.eftx 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\Notebook03.onepkg 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\FECFC2-Readme.txt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\FECFC2-Readme.txt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\FECFC2-Readme.txt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\APPLAUSE.WAV 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.LEX 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\icudtl.dat 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00262_.WMF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\FECFC2-Readme.txt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.ES.XML 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1436 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 26545 IoCs
Processes:
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exepid process 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe Token: SeImpersonatePrivilege 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe Token: SeBackupPrivilege 4388 vssvc.exe Token: SeRestorePrivilege 4388 vssvc.exe Token: SeAuditPrivilege 4388 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exedescription pid process target process PID 1656 wrote to memory of 1436 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe vssadmin.exe PID 1656 wrote to memory of 1436 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe vssadmin.exe PID 1656 wrote to memory of 1436 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe vssadmin.exe PID 1656 wrote to memory of 1436 1656 84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe"C:\Users\Admin\AppData\Local\Temp\84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1436-0-0x0000000000000000-mapping.dmp