netwalker | 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5

General

Target

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
Size

69KB
MD5

3a601ee68000508d58ea12203449a202
SHA1

9068567b2b3fdae864ca9b1fb9013d0305e3ca83
SHA256

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5
SHA512

176d60567b2bcf89aa6338f3f14b22ee2592e4ea6349c0a51d67e5b7655de611c2a6e58495cab8d9c5c26deaef03ad19852a0f32cd37466fa3241d61395527b0

Score

10^/10

netwalker persistence ransomware spyware

Malware Config

Extracted

Path

C:\Program Files\Microsoft Office\Office14\5F6C34-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5f6c34 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5f6c34: +U2pNSJwwx49UWlEwMR/9696x0tYjFRbeop9s5IeBJsrY2ag2f k1/nM4PFsEQNdlCnu+a7atMXIwgUXvBbDIuumu6PBQOi48q/a6 0lPqufoiPqyfHhTS6ujLwCqMwno/u1e1eRat50RFdbNUgEGJfk e/7T0iCYJcq5Yq8PFOd9uL2Qk8pasg2+8pO1xIaHkWJ6nP83EB yEarVz1tyjRIcO8HA3oar10mbwHxdD/dObC7bpNO1bE7hxphqZ TFOw8+0mUJ+9Hpb3NZXOQkxTlxmL2sk/sQeTrJ7A==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\5F6C34-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5f6c34 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5f6c34: +U2pNSJwwx49UWlEwMR/9696x0tYjFRbeop9s5IeBJsrY2ag2f k1/nM4PFsEQNdlCnu+a7atMXIwgUXvBbDIuumu6PBQOi48q/a6 0lPqufoiPqyfHhTS6ujLwCqMwno/u1e1eRat50RFdbNUgEGJfk e/7T0iCYJcq5Yq8PFOd9uL2Qk8pasg2+8pO1xIaHkWJ6nP83EB yEarVz1tyjRIcO8HA3oar10mbwHxdD/dObC7bpNO1bE7hxphqZ TFOw8+0mUJ+9Hpb3NZXOQkxTlxmL2sk/sQeTrJ7A==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5f6c34 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5f6c34: +U2pNSJwwx49UWlEwMR/9696x0tYjFRbeop9s5IeBJsrY2ag2f k1/nM4PFsEQNdlCnu+a7atMXIwgUXvBbDIuumu6PBQOi48q/a6 0lPqufoiPqyfHhTS6ujLwCqMwno/u1e1eRat50RFdbNUgEGJfk e/7T0iCYJcq5Yq8PFOd9uL2Qk8pasg2+8pO1xIaHkWJ6nP83EB yEarVz1tyjRIcO8HA3oar10mbwHxdD/dObC7bpNO1bE7hxphqZ TFOw8+0mUJ+9Hpb3NZXOQkxTlxmL2sk/sQeTrJ7A==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\5F6C34-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5f6c34 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5f6c34: +U2pNSJwwx49UWlEwMR/9696x0tYjFRbeop9s5IeBJsrY2ag2f k1/nM4PFsEQNdlCnu+a7atMXIwgUXvBbDIuumu6PBQOi48q/a6 0lPqufoiPqyfHhTS6ujLwCqMwno/u1e1eRat50RFdbNUgEGJfk e/7T0iCYJcq5Yq8PFOd9uL2Qk8pasg2+8pO1xIaHkWJ6nP83EB yEarVz1tyjRIcO8HA3oar10mbwHxdD/dObC7bpNO1bE7hxphqZ TFOw8+0mUJ+9Hpb3NZXOQkxTlxmL2sk/sQeTrJ7A==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5f6c34 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5f6c34: +U2pNSJwwx49UWlEwMR/9696x0tYjFRbeop9s5IeBJsrY2ag2f k1/nM4PFsEQNdlCnu+a7atMXIwgUXvBbDIuumu6PBQOi48q/a6 0lPqufoiPqyfHhTS6ujLwCqMwno/u1e1eRat50RFdbNUgEGJfk e/7T0iCYJcq5Yq8PFOd9uL2Qk8pasg2+8pO1xIaHkWJ6nP83EB yEarVz1tyjRIcO8HA3oar10mbwHxdD/dObC7bpNO1bE7hxphqZ TFOw8+0mUJ+9Hpb3NZXOQkxTlxmL2sk/sQeTrJ7A==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5f6c34 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5f6c34: +U2pNSJwwx49UWlEwMR/9696x0tYjFRbeop9s5IeBJsrY2ag2f k1/nM4PFsEQNdlCnu+a7atMXIwgUXvBbDIuumu6PBQOi48q/a6 0lPqufoiPqyfHhTS6ujLwCqMwno/u1e1eRat50RFdbNUgEGJfk e/7T0iCYJcq5Yq8PFOd9uL2Qk8pasg2+8pO1xIaHkWJ6nP83EB yEarVz1tyjRIcO8HA3oar10mbwHxdD/dObC7bpNO1bE7hxphqZ TFOw8+0mUJ+9Hpb3NZXOQkxTlxmL2sk/sQeTrJ7A==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestartClear.tif => C:\Users\Admin\Pictures\RestartClear.tif.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Users\Admin\Pictures\PushSet.tiff	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreApprove.tiff	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeRename.tiff	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\SetUnblock.crw => C:\Users\Admin\Pictures\SetUnblock.crw.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\DenySuspend.tif => C:\Users\Admin\Pictures\DenySuspend.tif.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\MountHide.raw => C:\Users\Admin\Pictures\MountHide.raw.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\SetRegister.crw => C:\Users\Admin\Pictures\SetRegister.crw.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\DenyLock.tiff => C:\Users\Admin\Pictures\DenyLock.tiff.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\InvokeRename.tiff => C:\Users\Admin\Pictures\InvokeRename.tiff.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\PushSet.tiff => C:\Users\Admin\Pictures\PushSet.tiff.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Users\Admin\Pictures\DenyLock.tiff	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\RestoreApprove.tiff => C:\Users\Admin\Pictures\RestoreApprove.tiff.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File renamed	C:\Users\Admin\Pictures\MeasureTrace.crw => C:\Users\Admin\Pictures\MeasureTrace.crw.5f6c34	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

7848 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
7848	cmd.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 7494 IoCs

Processes:

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\drive.crx	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\WET	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\5F6C34-Readme.txt	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\5F6C34-Readme.txt	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0136865.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN001.XML	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayman	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1188 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

7524 taskkill.exe

pid	process
1188	vssadmin.exe

pid	process
7524	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10627 IoCs

Processes:

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe

pid	process
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
Token: SeImpersonatePrivilege	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
Token: SeBackupPrivilege	6428	vssvc.exe
Token: SeRestorePrivilege	6428	vssvc.exe
Token: SeAuditPrivilege	6428	vssvc.exe
Token: SeDebugPrivilege	7524	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.execmd.exe

description	pid	process	target process
PID 1360 wrote to memory of 1188	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	vssadmin.exe
PID 1360 wrote to memory of 1188	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	vssadmin.exe
PID 1360 wrote to memory of 1188	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	vssadmin.exe
PID 1360 wrote to memory of 1188	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	vssadmin.exe
PID 1360 wrote to memory of 7420	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	notepad.exe
PID 1360 wrote to memory of 7420	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	notepad.exe
PID 1360 wrote to memory of 7420	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	notepad.exe
PID 1360 wrote to memory of 7420	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	notepad.exe
PID 1360 wrote to memory of 7848	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	cmd.exe
PID 1360 wrote to memory of 7848	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	cmd.exe
PID 1360 wrote to memory of 7848	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	cmd.exe
PID 1360 wrote to memory of 7848	1360	27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe	cmd.exe
PID 7848 wrote to memory of 7524	7848	cmd.exe	taskkill.exe
PID 7848 wrote to memory of 7524	7848	cmd.exe	taskkill.exe
PID 7848 wrote to memory of 7524	7848	cmd.exe	taskkill.exe
PID 7848 wrote to memory of 7524	7848	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
"C:\Users\Admin\AppData\Local\Temp\27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1188
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\5F6C34-Readme.txt"
  2⤵
  PID:7420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\61A0.tmp.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:7848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 1360
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:6428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61A0.tmp.bat

MD5
06c4e1813cfd573157a79bdaa194419e

SHA1
c424c2e41553e6a4b9284b93c22ed6f9b997d63b

SHA256
e01c8400030e62d42f57b331e9c29c4761f8bddf4d94fdd28fdcdb2dcd38a6e9

SHA512
c71f750bbc4d039784534134023876ae0caa67be4082f381b41d81bcc275de19217b55ef10837e94934154c7d8d92ac30cf35d86141bb32f43ef19df242c2f56

Download Submit
C:\Users\Admin\Desktop\5F6C34-Readme.txt

MD5
125bbefa461c607458c5f07c078e6f47

SHA1
a9e735d43abf3e4b79f49c54dc155fadfbceb991

SHA256
d5b1356c1a00db01a01400a5cab8afe26a64619b2a83d9c84299cc85fafb998d

SHA512
aca7d5be2891e23f30c1105e7abd6b1977485fa054117d404cbd77e67947aa62ec58d958688d349d11d5a480ead0a64eea62038f9e05f807cbbecc524af1ffdb

Download Submit
memory/1188-0-0x0000000000000000-mapping.dmp

Download
memory/7420-4-0x0000000000000000-mapping.dmp

Download
memory/7524-12-0x0000000000000000-mapping.dmp

Download
memory/7848-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads