Analysis
-
max time kernel
118s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe
Resource
win10v20201028
General
-
Target
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe
-
Size
69KB
-
MD5
bc75859695f6c2c5ceda7e3be68e5d5a
-
SHA1
5be2fb7adcfefd741e6b98b4beeadf9e24ea7423
-
SHA256
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d
-
SHA512
64aa4beec446dfc8fbe677a714095ac0b478fc286ca0ec8cb2d798df03d220739bb6ad213102210c52e63368595c7cc991895c5ed68764774d2b97ce103e59ae
Malware Config
Extracted
C:\ProgramData\Microsoft\MF\DC293F-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\7-Zip\DC293F-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertToClear.crw => C:\Users\Admin\Pictures\ConvertToClear.crw.dc293f a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 4784 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 7499 IoCs
Processes:
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\uk.pak a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\DC293F-Readme.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214948.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\DC293F-Readme.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.DLL.IDX_DLL a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00523_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sl.pak a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Moscow a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298897.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\DC293F-Readme.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Cairo a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File created C:\Program Files\VideoLAN\VLC\DC293F-Readme.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\DC293F-Readme.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\DC293F-Readme.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187895.WMF a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1504 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1560 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 17901 IoCs
Processes:
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exepid process 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe Token: SeImpersonatePrivilege 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe Token: SeBackupPrivilege 2596 vssvc.exe Token: SeRestorePrivilege 2596 vssvc.exe Token: SeAuditPrivilege 2596 vssvc.exe Token: SeDebugPrivilege 1560 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.execmd.exedescription pid process target process PID 292 wrote to memory of 1504 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe vssadmin.exe PID 292 wrote to memory of 1504 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe vssadmin.exe PID 292 wrote to memory of 1504 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe vssadmin.exe PID 292 wrote to memory of 1504 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe vssadmin.exe PID 292 wrote to memory of 5188 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe notepad.exe PID 292 wrote to memory of 5188 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe notepad.exe PID 292 wrote to memory of 5188 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe notepad.exe PID 292 wrote to memory of 5188 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe notepad.exe PID 292 wrote to memory of 4784 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe cmd.exe PID 292 wrote to memory of 4784 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe cmd.exe PID 292 wrote to memory of 4784 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe cmd.exe PID 292 wrote to memory of 4784 292 a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe cmd.exe PID 4784 wrote to memory of 1560 4784 cmd.exe taskkill.exe PID 4784 wrote to memory of 1560 4784 cmd.exe taskkill.exe PID 4784 wrote to memory of 1560 4784 cmd.exe taskkill.exe PID 4784 wrote to memory of 1560 4784 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe"C:\Users\Admin\AppData\Local\Temp\a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\DC293F-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\D95E.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 2923⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D95E.tmp.batMD5
4eb436ba0455cd1317cc8304629fd866
SHA1f10ab259b4c3e91a2279d98d3a405af0b21371ae
SHA256d31b60a53625f9fb657d5610e842c15510201bb02c6b01354bd9decc79224240
SHA51214fa8f0526fcb0bbc432366625a3e8cd37a6b0341fd0611465c3ae8d7c83a828316577e5889691fd946bced351952ba3f04ce08694b7e7c831e7bba1770a102e
-
C:\Users\Admin\Desktop\DC293F-Readme.txtMD5
22567e1fa2a468dacf8e6f074ac1c780
SHA19a9d239ade869f12622295d02407e3f0c7d2d81f
SHA25663082632b829ea71fcf343fe2ecd9a3d751febacb78eb56075647d21242970f2
SHA5128ff8b178dba142eaefdcb7acba8c57c604dfb1a1c6df98e6598631de3a0fbd3b4aa58c8aedebf58ed8b83727d25dd27d5d7d5949a017ef1699a413dada6852ec
-
memory/1504-0-0x0000000000000000-mapping.dmp
-
memory/1560-12-0x0000000000000000-mapping.dmp
-
memory/4784-7-0x0000000000000000-mapping.dmp
-
memory/5188-4-0x0000000000000000-mapping.dmp