Analysis
-
max time kernel
78s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe
Resource
win10v20201028
General
-
Target
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe
-
Size
80KB
-
MD5
bdc345b7bcecf485d2ee9f0011fd2fb3
-
SHA1
b1610f94dc8235d939b4817c36e09a8ebc3a29dd
-
SHA256
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4
-
SHA512
1d56a85688d6499512421b38ecca8167e31c0ec2bbfc812e6c742820690f7e608c45b6e7159c59b583f608a724f855a6481facda0846ccd7ee4acac446a83335
Malware Config
Extracted
C:\odt\F2782A-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Documents\F2782A-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\F2782A-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\AppData\Local\TileDataLayer\Database\F2782A-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\F2782A-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exedescription ioc process File renamed C:\Users\Admin\Pictures\CloseComplete.raw => C:\Users\Admin\Pictures\CloseComplete.raw.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File renamed C:\Users\Admin\Pictures\OptimizePush.png => C:\Users\Admin\Pictures\OptimizePush.png.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File renamed C:\Users\Admin\Pictures\WriteResolve.tif => C:\Users\Admin\Pictures\WriteResolve.tif.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File renamed C:\Users\Admin\Pictures\UpdateProtect.crw => C:\Users\Admin\Pictures\UpdateProtect.crw.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File renamed C:\Users\Admin\Pictures\SkipApprove.crw => C:\Users\Admin\Pictures\SkipApprove.crw.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File renamed C:\Users\Admin\Pictures\ClearUnpublish.crw => C:\Users\Admin\Pictures\ClearUnpublish.crw.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File renamed C:\Users\Admin\Pictures\ProtectMove.tif => C:\Users\Admin\Pictures\ProtectMove.tif.f2782a 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 17177 IoCs
Processes:
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_share_18.svg 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-us\mso.acl 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.387e40a3.pri 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_40x40x32.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg2_thumb.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Blizzard-of_Bliss_Unearned_small.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\Daily_challenge_Coins Hit progress bar.wav 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpointmui.msi.16.en-us.vreg.dat 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-white_scale-200.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_20x20x32.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8268_48x48x32.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\LargeTile.scale-100.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-fullcolor.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6486_36x36x32.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\TrailMask.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\resources.857e5af3.pri 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fj_16x11.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Fable\fable_1h.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5665_32x32x32.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Animation\coin particles.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2494_24x24x32.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-100.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\MS.Entertainment.Common.winmd 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-150.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\12d.png 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\F2782A-Readme.txt 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1796 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 9296 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 17316 IoCs
Processes:
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exepid process 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe Token: SeImpersonatePrivilege 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe Token: SeBackupPrivilege 5744 vssvc.exe Token: SeRestorePrivilege 5744 vssvc.exe Token: SeAuditPrivilege 5744 vssvc.exe Token: SeDebugPrivilege 9296 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.execmd.exedescription pid process target process PID 756 wrote to memory of 1796 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe vssadmin.exe PID 756 wrote to memory of 1796 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe vssadmin.exe PID 756 wrote to memory of 7488 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe notepad.exe PID 756 wrote to memory of 7488 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe notepad.exe PID 756 wrote to memory of 7488 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe notepad.exe PID 756 wrote to memory of 1100 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe cmd.exe PID 756 wrote to memory of 1100 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe cmd.exe PID 756 wrote to memory of 1100 756 63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe cmd.exe PID 1100 wrote to memory of 9296 1100 cmd.exe taskkill.exe PID 1100 wrote to memory of 9296 1100 cmd.exe taskkill.exe PID 1100 wrote to memory of 9296 1100 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe"C:\Users\Admin\AppData\Local\Temp\63ad8faf3c2b306ccd8aa7874e24e7d48e0f6bbeeb37adab26c2efa1410022c4.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F2782A-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6BCA.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 7563⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6BCA.tmp.batMD5
f10cca122413ecfc887a6281d53a641a
SHA1030e036342bc457c10a4947b20e60ad7e71e63ed
SHA25657b531fea8e416c6741af0b35b14c91eb1a2e39467972944ba4c1e7852d9ee8d
SHA51283dd0bfc2e99923f4c28fea2bbee8a5876be7cba73e14008cb615731a6a4099a57f818aaab34aee370a5427683786e3596046ee62917bdc0fb10ded598c404f6
-
C:\Users\Admin\Desktop\F2782A-Readme.txtMD5
65dba1138b6b6a3a7425478db6790fc2
SHA16f019d6076d5aa7a7e268b30b3d47714c769c3e4
SHA2565281f990f841e82b7fc6596e158c9f52c5027940d7e473c6c5e0eef0f1b2fae6
SHA5125a11fecec8d4891ee1d148a84200f075d6c28ae882c6429b5401e8260d7305d95b5f472c0051c0ea798d251be0b8d381684531b2ccb7b86cdcca4aed47a45247
-
memory/1100-2-0x0000000000000000-mapping.dmp
-
memory/1796-0-0x0000000000000000-mapping.dmp
-
memory/7488-1-0x0000000000000000-mapping.dmp
-
memory/9296-4-0x0000000000000000-mapping.dmp