Analysis
-
max time kernel
119s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe
Resource
win10v20201028
General
-
Target
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe
-
Size
69KB
-
MD5
608ac26ea80c189ed8e0f62dd4fd8ada
-
SHA1
c5b3fa421db00fe931f439af5df4f65f7f3d9a1a
-
SHA256
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010
-
SHA512
57951e09485961814bf018b3a10b6ad2e68f76409bcfce509afb979eee3dc0010af891d0efa094c0510ff26b21812b2d9528cce2bbc362c9830ae00b1610c4ad
Malware Config
Extracted
C:\9BD76B-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\9BD76B-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DebugTest.tiff c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\StartReset.crw => C:\Users\Admin\Pictures\StartReset.crw.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\UnlockResolve.tif => C:\Users\Admin\Pictures\UnlockResolve.tif.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\RequestGet.raw => C:\Users\Admin\Pictures\RequestGet.raw.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveRedo.tif => C:\Users\Admin\Pictures\ReceiveRedo.tif.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\RemoveMount.png => C:\Users\Admin\Pictures\RemoveMount.png.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\DebugTest.tiff => C:\Users\Admin\Pictures\DebugTest.tiff.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\HideNew.png => C:\Users\Admin\Pictures\HideNew.png.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\MergeEnable.raw => C:\Users\Admin\Pictures\MergeEnable.raw.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\ConnectUninstall.tif => C:\Users\Admin\Pictures\ConnectUninstall.tif.9bd76b c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 6952 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 7470 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152894.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_05.MID c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\9BD76B-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Oslo c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_F_COL.HXK c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06049_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMWIN.FAE c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BAN98.POC c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01191_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00943_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15058_.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200279.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03241_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\9BD76B-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\9BD76B-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\9BD76B-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234376.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324694.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2024 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 568 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 16721 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exepid process 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe Token: SeImpersonatePrivilege 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe Token: SeBackupPrivilege 2612 vssvc.exe Token: SeRestorePrivilege 2612 vssvc.exe Token: SeAuditPrivilege 2612 vssvc.exe Token: SeDebugPrivilege 568 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.execmd.exedescription pid process target process PID 844 wrote to memory of 2024 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe vssadmin.exe PID 844 wrote to memory of 2024 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe vssadmin.exe PID 844 wrote to memory of 2024 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe vssadmin.exe PID 844 wrote to memory of 2024 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe vssadmin.exe PID 844 wrote to memory of 6868 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe notepad.exe PID 844 wrote to memory of 6868 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe notepad.exe PID 844 wrote to memory of 6868 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe notepad.exe PID 844 wrote to memory of 6868 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe notepad.exe PID 844 wrote to memory of 6952 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe cmd.exe PID 844 wrote to memory of 6952 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe cmd.exe PID 844 wrote to memory of 6952 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe cmd.exe PID 844 wrote to memory of 6952 844 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe cmd.exe PID 6952 wrote to memory of 568 6952 cmd.exe taskkill.exe PID 6952 wrote to memory of 568 6952 cmd.exe taskkill.exe PID 6952 wrote to memory of 568 6952 cmd.exe taskkill.exe PID 6952 wrote to memory of 568 6952 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe"C:\Users\Admin\AppData\Local\Temp\c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\9BD76B-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\F038.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 8443⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F038.tmp.batMD5
7844035257d26b11f6237fbc0f6b8956
SHA123b80b9b57a174a416be79dc939aa34e28787439
SHA25651777bf3e6d4742c4159020e8388174a7b39b7771fcc14761cf2a5a34d826ce6
SHA512b457fe73d99968a5a62f23b24c0ab8986cb7572927e307b31482f7d4d2bfa96ab61782056badb357f2850c32401826f04777f5a827b3ac433fdbcbcbd271900c
-
C:\Users\Admin\Desktop\9BD76B-Readme.txtMD5
a604144bcace154f21bdf6d0e470f88f
SHA196482cd8c2328d30593159d9cc106eddf57e0fd2
SHA256b95537b48da34575b2549ccd9c546e5757c1f05861e60f8dd508f3984490ec7c
SHA5129f59cc77bc94e249fb9fab94b48343ff96270bbce54154465c6dd30a5ab4cea673da471645d0161348033146834219c001e26a77e2ee6fd3eaba8b64b5a51f55
-
memory/568-11-0x0000000000000000-mapping.dmp
-
memory/2024-0-0x0000000000000000-mapping.dmp
-
memory/6868-3-0x0000000000000000-mapping.dmp
-
memory/6952-6-0x0000000000000000-mapping.dmp