Analysis
-
max time kernel
84s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
Resource
win10v20201028
General
-
Target
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
-
Size
148KB
-
MD5
291e1ce9cd3ea77fb64937d3212e8ef6
-
SHA1
68fd5b77f7e6824545664a620a62de630948e4b0
-
SHA256
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2
-
SHA512
a63ef33ee1fa00e0bf9e395a9f3ed8793b1dcc1b90a1bf5e7d8dcae5e9fb28cb28eaf0c658883d66566a0eef6986e7377147ed26310d2e3e79d71e223cae1633
Malware Config
Extracted
C:\Users\Public\Libraries\375DC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\375DC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\375DC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\375DC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\375DC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\AssertUndo.tiff b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Users\Admin\Pictures\CheckpointImport.tiff b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 17176 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3838_40x40x32.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-100.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_badge_base.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\talktothehand.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-400.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.PostalAddress.ot b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-125.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5478_48x48x32.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\User_icon-up.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\AppxManifest.xml b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_4.jpg b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sk_60x42.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ls_60x42.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_CA-ES.respack b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\mask_corners.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-150.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@3x.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-32_altform-unplated.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete@3x.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_48x48x32.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\375DC-Readme.txt b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\mask_corners.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-36.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-colorize.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4880 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3968 taskkill.exe 9308 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3042 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exepid process 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exevssvc.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe Token: SeImpersonatePrivilege 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe Token: SeBackupPrivilege 8120 vssvc.exe Token: SeRestorePrivilege 8120 vssvc.exe Token: SeAuditPrivilege 8120 vssvc.exe Token: SeDebugPrivilege 3968 taskkill.exe Token: SeDebugPrivilege 9308 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.execmd.exedescription pid process target process PID 3276 wrote to memory of 6692 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 3276 wrote to memory of 6692 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 3276 wrote to memory of 6692 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe notepad.exe PID 3276 wrote to memory of 4880 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe vssadmin.exe PID 3276 wrote to memory of 4880 3276 b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe vssadmin.exe PID 6108 wrote to memory of 3968 6108 cmd.exe taskkill.exe PID 6108 wrote to memory of 3968 6108 cmd.exe taskkill.exe PID 6108 wrote to memory of 3968 6108 cmd.exe taskkill.exe PID 6108 wrote to memory of 9308 6108 cmd.exe taskkill.exe PID 6108 wrote to memory of 9308 6108 cmd.exe taskkill.exe PID 6108 wrote to memory of 9308 6108 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\375DC-Readme.txt"2⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7540.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7540.tmp.batMD5
b58d61ac5cbb4c6be9037fc8d97c534a
SHA1d6d1f82614055c1d23744149784683a11ba8570a
SHA256b0679ca882b3d3474f82cf52cd236339aa826e044866c93bf8fc3ee658864af1
SHA5124a536494166b716ca84cc76c0e19426d3dd1af37945c99f2652853e9525e5a933b30e8eaf83f294fa5731665ac0416652a8cdbdd0bfd31f2a2440cac9f11c0ec
-
C:\Users\Admin\Desktop\375DC-Readme.txtMD5
30ddc781c1c9810366be899b8b001f13
SHA1e3c06e7603ad9a57ca9fc3bdaf64f2fc7e3b7b09
SHA2566b5fac17a9b17357335ee8d0efd26380675bb1f65df72f48c4719b9bfc0d8dc1
SHA51249f9d5707a507293ba120c7a93b603bb612df127743dcc9c630678ec39cc26c8762e727e80693b6f5646574a9f95a3af5dbf311936f05ac65809f9755f52ab17
-
memory/3968-4-0x0000000000000000-mapping.dmp
-
memory/4880-1-0x0000000000000000-mapping.dmp
-
memory/6108-2-0x0000000000000000-mapping.dmp
-
memory/6692-0-0x0000000000000000-mapping.dmp
-
memory/9308-6-0x0000000000000000-mapping.dmp