Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe
Resource
win10v20201028
General
-
Target
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe
-
Size
69KB
-
MD5
5f55ac3dd18950583dadffc1970745c5
-
SHA1
6a13535190bdcd62af6b4930ea28664c13c6a6be
-
SHA256
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614
-
SHA512
0839dfa13d2fa8752b032ccdb57c15533785724226a156e6c3befb0209a5d5ea8282217f7737ce9b3d6566f3c47abba6586c922063f3ca1fefa267b228f6b062
Malware Config
Extracted
C:\Program Files\Microsoft Office\Office14\95D67D-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\Java\jdk1.7.0_80\95D67D-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Documents\95D67D-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\InstallPing.crw => C:\Users\Admin\Pictures\InstallPing.crw.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\EnableSwitch.crw => C:\Users\Admin\Pictures\EnableSwitch.crw.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Users\Admin\Pictures\WatchUninstall.tiff 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\TraceExit.png => C:\Users\Admin\Pictures\TraceExit.png.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\OpenReceive.tif => C:\Users\Admin\Pictures\OpenReceive.tif.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\PushEnable.crw => C:\Users\Admin\Pictures\PushEnable.crw.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\NewSync.crw => C:\Users\Admin\Pictures\NewSync.crw.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\CompareDismount.png => C:\Users\Admin\Pictures\CompareDismount.png.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\CompleteUnblock.png => C:\Users\Admin\Pictures\CompleteUnblock.png.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Users\Admin\Pictures\MoveFind.tiff 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\CompressUnregister.raw => C:\Users\Admin\Pictures\CompressUnregister.raw.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\WatchUninstall.tiff => C:\Users\Admin\Pictures\WatchUninstall.tiff.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\StopRequest.raw => C:\Users\Admin\Pictures\StopRequest.raw.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\MoveFind.tiff => C:\Users\Admin\Pictures\MoveFind.tiff.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File renamed C:\Users\Admin\Pictures\DenyUndo.png => C:\Users\Admin\Pictures\DenyUndo.png.95d67d 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 7486 IoCs
Processes:
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.DPV 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01173_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\95D67D-Readme.txt 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00736_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\95D67D-Readme.txt 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\abcpy.ini 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Edmonton 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01164_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR26F.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mahe 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15168_.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304853.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UCT 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18256_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02009_.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2040 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 23053 IoCs
Processes:
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exepid process 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe Token: SeImpersonatePrivilege 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe Token: SeBackupPrivilege 7036 vssvc.exe Token: SeRestorePrivilege 7036 vssvc.exe Token: SeAuditPrivilege 7036 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exedescription pid process target process PID 1632 wrote to memory of 2040 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe vssadmin.exe PID 1632 wrote to memory of 2040 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe vssadmin.exe PID 1632 wrote to memory of 2040 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe vssadmin.exe PID 1632 wrote to memory of 2040 1632 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe"C:\Users\Admin\AppData\Local\Temp\74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2040-0-0x0000000000000000-mapping.dmp