netwalker | 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a

General

Target

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
Size

69KB
MD5

63eb7712d7c9d495e8a6be937bdb1960
SHA1

1897bcfc7f3d4a36bdd29da61e87ba00812dca24
SHA256

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a
SHA512

049a2dc1c544a89673bcdca985ad1e42f168f65ff73267e2e0ac30ae992a8b21d375afb35882b512edc335bfdf44174fdbbf03b3451d5b2d405eceafd3e05497

Score

10^/10

netwalker persistence ransomware spyware

Malware Config

Extracted

Path

C:\odt\E341EA-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\E341EA-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\7-Zip\Lang\E341EA-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\E341EA-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e341ea -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e341ea: EXAD167woTT+fGIubmc+DaIcb2NQR5vgoZrONKFLgvOM96YIVQ dWNcfa7tIppjKfxfnBTFSyKkorElDjCnQ3qNCu9WUFOFwcmifa dDyDSF5+TV79b+xt7HAp7aUMPIqglbD3VKr9pN+spq7j+nYZM5 eQ5DPQD8woDGJ/bQxCvfHAD8IiUGJfVApJHk8R+cYKhsIYTEgb 5qvh1V/O3BL067m3gy2I/RcnSfYScqb9dpp6OXncGUg8pYhsal zpGTNF41EljAX3+kfzGi0l7u/NQrIMlmJfy14ECw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnblockEdit.tif => C:\Users\Admin\Pictures\UnblockEdit.tif.e341ea	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File renamed	C:\Users\Admin\Pictures\NewInstall.tif => C:\Users\Admin\Pictures\NewInstall.tif.e341ea	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File renamed	C:\Users\Admin\Pictures\SyncComplete.crw => C:\Users\Admin\Pictures\SyncComplete.crw.e341ea	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Drops file in Program Files directory 17156 IoCs

Processes:

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-125.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_contrast-black.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\beer.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\E341EA-Readme.txt	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Fable\fable_11h.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\E341EA-Readme.txt	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-100.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\E341EA-Readme.txt	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\freecell_menu_icon.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Alcatraz_Escape_.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96_altform-unplated.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-96_altform-unplated.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10910_24x24x32.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ads_win10_300x250.scale-100.jpg	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.model	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Icon.targetsize-256.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\music.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\cardsLoadingSequence.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\th_16x11.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\E341EA-Readme.txt	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxManifest.xml	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Back\Back.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-100.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\FilesystemMetadata.xml	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\TiltUp_E809_HC_Black_64x64.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJHBD.TTC	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\muscle.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-100.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main-selector.css	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5080 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5168 taskkill.exe

pid	process
5080	vssadmin.exe

pid	process
5168	taskkill.exe

Suspicious behavior: EnumeratesProcesses 13245 IoCs

Processes:

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe

pid	process
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
Token: SeImpersonatePrivilege	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
Token: SeBackupPrivilege	7404	vssvc.exe
Token: SeRestorePrivilege	7404	vssvc.exe
Token: SeAuditPrivilege	7404	vssvc.exe
Token: SeDebugPrivilege	5168	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.execmd.exe

description	pid	process	target process
PID 4700 wrote to memory of 5080	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	vssadmin.exe
PID 4700 wrote to memory of 5080	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	vssadmin.exe
PID 4700 wrote to memory of 1304	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	notepad.exe
PID 4700 wrote to memory of 1304	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	notepad.exe
PID 4700 wrote to memory of 1304	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	notepad.exe
PID 4700 wrote to memory of 9212	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	cmd.exe
PID 4700 wrote to memory of 9212	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	cmd.exe
PID 4700 wrote to memory of 9212	4700	0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe	cmd.exe
PID 9212 wrote to memory of 5168	9212	cmd.exe	taskkill.exe
PID 9212 wrote to memory of 5168	9212	cmd.exe	taskkill.exe
PID 9212 wrote to memory of 5168	9212	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a.bin.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:5080

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E341EA-Readme.txt"
2⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2D5A.tmp.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:9212

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4700
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:7404

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2D5A.tmp.bat
MD5
3386c967e7ef9885453c02754a88ccb5

SHA1
356b852a847b0941b9240ff5b82614f33809b33b

SHA256
e7cf462f48e3f7ef832130ec577d0a4fd9d091d526ed857004dd7013707c4623

SHA512
432ab8bb883d82d4f727f33f0efccd5285db298918a44f522f345fcf39a2c0149a01fb682feaf2bf0b14bd74cdd07626c30514bb321a7c8b1abc1e0a67acfb9a

Download Submit
C:\Users\Admin\Desktop\E341EA-Readme.txt
MD5
e3d7c7ae1833c52627d068a26704fa42

SHA1
7d947de2e820ae51349526aedb731e0cc5bd08ef

SHA256
f672fff499fae487508f53d6d68ddde0174c0f4df08f30e0dd44c91ec06f4703

SHA512
011ed4404ae934b6a7d37fee938c7520033e93fa16d0c09e0ddf1b4d7baf03134970b2fd54164e568fe7fa663e137a011c6153d27e6e5a27b57419d42a5258a6

Download Submit
memory/1304-1-0x0000000000000000-mapping.dmp

Download
memory/5080-0-0x0000000000000000-mapping.dmp

Download
memory/5168-4-0x0000000000000000-mapping.dmp

Download
memory/9212-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads