Analysis
-
max time kernel
90s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
Resource
win10v20201028
General
-
Target
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
-
Size
69KB
-
MD5
63eb7712d7c9d495e8a6be937bdb1960
-
SHA1
1897bcfc7f3d4a36bdd29da61e87ba00812dca24
-
SHA256
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a
-
SHA512
049a2dc1c544a89673bcdca985ad1e42f168f65ff73267e2e0ac30ae992a8b21d375afb35882b512edc335bfdf44174fdbbf03b3451d5b2d405eceafd3e05497
Malware Config
Extracted
C:\ProgramData\Microsoft\MF\CE5F7B-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\CE5F7B-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File renamed C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.ce5f7b 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File renamed C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.ce5f7b 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 5488 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 7497 IoCs
Processes:
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\lt.pak 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00013_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\CE5F7B-Readme.txt 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115867.GIF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\MeasureDebug.odt 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\CE5F7B-Readme.txt 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\tzmappings 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\CE5F7B-Readme.txt 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Premium.css 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\CE5F7B-Readme.txt 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00008_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\CE5F7B-Readme.txt 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\EnterProtect.ods 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Graph.exe.manifest 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105272.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3EN.LEX 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196164.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.XML 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10298_.GIF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ORG97R.SAM 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00414_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1572 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 7752 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 12537 IoCs
Processes:
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exepid process 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe Token: SeImpersonatePrivilege 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe Token: SeBackupPrivilege 3360 vssvc.exe Token: SeRestorePrivilege 3360 vssvc.exe Token: SeAuditPrivilege 3360 vssvc.exe Token: SeDebugPrivilege 7752 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.execmd.exedescription pid process target process PID 1912 wrote to memory of 1572 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe vssadmin.exe PID 1912 wrote to memory of 1572 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe vssadmin.exe PID 1912 wrote to memory of 1572 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe vssadmin.exe PID 1912 wrote to memory of 1572 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe vssadmin.exe PID 1912 wrote to memory of 3944 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe notepad.exe PID 1912 wrote to memory of 3944 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe notepad.exe PID 1912 wrote to memory of 3944 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe notepad.exe PID 1912 wrote to memory of 3944 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe notepad.exe PID 1912 wrote to memory of 5488 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe cmd.exe PID 1912 wrote to memory of 5488 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe cmd.exe PID 1912 wrote to memory of 5488 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe cmd.exe PID 1912 wrote to memory of 5488 1912 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe cmd.exe PID 5488 wrote to memory of 7752 5488 cmd.exe taskkill.exe PID 5488 wrote to memory of 7752 5488 cmd.exe taskkill.exe PID 5488 wrote to memory of 7752 5488 cmd.exe taskkill.exe PID 5488 wrote to memory of 7752 5488 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe"C:\Users\Admin\AppData\Local\Temp\0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\CE5F7B-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\6B41.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 19123⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6B41.tmp.batMD5
77a5448d70fb57502fa67072bddfe6a1
SHA11de51c9eb142191cf9f91e8dc8cbd68a3e00cb3b
SHA25660a266c9a829cb95d28275b1ba0541a0eee1b4a9ccb8cc0250970d7eeb5bb0fd
SHA512ef13d805410dd215fe6651e148928ffddd98b4571560aaeba8cf78f5839b73439b56e320c661950b03150fb715099ba4c05954e4dea05701ab366cc10234bbc6
-
C:\Users\Admin\Desktop\CE5F7B-Readme.txtMD5
951d9704fc53df47689fd7fbb0786807
SHA10bab92352f6f212dd2089867aeb79c0e0d2d1408
SHA256cf92cb57094f57f65df612987593201faece437e22996d2e6fd739a52f1a31f2
SHA5121fde577077973f2c390791be87e1e031da21c96fac7dee5f61e7d8fa859bc8594611af52a42792e0ff1fb15a0077682ea13deff2e0364a96c2f4458e1b41941f
-
memory/1572-0-0x0000000000000000-mapping.dmp
-
memory/3944-4-0x0000000000000000-mapping.dmp
-
memory/5488-7-0x0000000000000000-mapping.dmp
-
memory/7752-12-0x0000000000000000-mapping.dmp