Analysis
-
max time kernel
129s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
Resource
win10v20201028
General
-
Target
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
-
Size
148KB
-
MD5
291e1ce9cd3ea77fb64937d3212e8ef6
-
SHA1
68fd5b77f7e6824545664a620a62de630948e4b0
-
SHA256
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2
-
SHA512
a63ef33ee1fa00e0bf9e395a9f3ed8793b1dcc1b90a1bf5e7d8dcae5e9fb28cb28eaf0c658883d66566a0eef6986e7377147ed26310d2e3e79d71e223cae1633
Malware Config
Extracted
C:\C6AD3-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files\VideoLAN\VLC\lua\http\js\C6AD3-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\C6AD3-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 4188 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 7478 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\C6AD3-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DAT b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoDev.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\C6AD3-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\C6AD3-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\C6AD3-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+3 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4F.GIF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\SyncClose.m3u b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01176_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\tzmappings b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36F.GIF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PNCTUATE.POC b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\C6AD3-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19695_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\C6AD3-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241781.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER11.POC b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4920 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3284 taskkill.exe 4196 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 216 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exepid process 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exevssvc.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe Token: SeImpersonatePrivilege 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe Token: SeBackupPrivilege 936 vssvc.exe Token: SeRestorePrivilege 936 vssvc.exe Token: SeAuditPrivilege 936 vssvc.exe Token: SeDebugPrivilege 3284 taskkill.exe Token: SeDebugPrivilege 4196 taskkill.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.execmd.exedescription pid process target process PID 1808 wrote to memory of 4508 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 1808 wrote to memory of 4508 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 1808 wrote to memory of 4508 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 1808 wrote to memory of 4508 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 1808 wrote to memory of 4920 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe vssadmin.exe PID 1808 wrote to memory of 4920 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe vssadmin.exe PID 1808 wrote to memory of 4920 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe vssadmin.exe PID 1808 wrote to memory of 4920 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe vssadmin.exe PID 1808 wrote to memory of 4188 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe cmd.exe PID 1808 wrote to memory of 4188 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe cmd.exe PID 1808 wrote to memory of 4188 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe cmd.exe PID 1808 wrote to memory of 4188 1808 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe cmd.exe PID 4188 wrote to memory of 3284 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 3284 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 3284 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 3284 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 4196 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 4196 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 4196 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 4196 4188 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\C6AD3-Readme.txt"2⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\F547.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F547.tmp.batMD5
b58d61ac5cbb4c6be9037fc8d97c534a
SHA1d6d1f82614055c1d23744149784683a11ba8570a
SHA256b0679ca882b3d3474f82cf52cd236339aa826e044866c93bf8fc3ee658864af1
SHA5124a536494166b716ca84cc76c0e19426d3dd1af37945c99f2652853e9525e5a933b30e8eaf83f294fa5731665ac0416652a8cdbdd0bfd31f2a2440cac9f11c0ec
-
C:\Users\Admin\Desktop\C6AD3-Readme.txtMD5
0c2a873601d7998e662cd0488591623c
SHA182f2104bb9e26480dac7bb719121f6fda30cb4ab
SHA256859d0d7891e690529ae9384c8f0944f762c7c6f10517b1c0eebd13cb8096c20f
SHA51248cde32f87653079cda88c227a700d0b28a448dd39746579ff99ddc97fd36a2d2a82a3109b33338a6319ef331f67b102cc1607f6fcf6f348f5c7af125b76e452
-
memory/3284-14-0x0000000000000000-mapping.dmp
-
memory/4188-9-0x0000000000000000-mapping.dmp
-
memory/4196-15-0x0000000000000000-mapping.dmp
-
memory/4508-3-0x0000000000000000-mapping.dmp
-
memory/4920-6-0x0000000000000000-mapping.dmp