Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe
Resource
win10v20201028
General
-
Target
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe
-
Size
69KB
-
MD5
a9e395e478d042c77b1090242bb11372
-
SHA1
cf53d001e7ec8b7ac48b78d1589f75ff388e8479
-
SHA256
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f
-
SHA512
29e1e16162a2baa47a065eeb1d2bd9b732e63e8c742b50c22278b05aad35987ea1301079c9cdc8716dd61ea313f098deb860e278e719f34e5a16056729749ba1
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_14581a24ae3cd03160d66be822236893de867_cab_05f073b8\83E2CE-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\83E2CE-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Pictures\83E2CE-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeSync.crw => C:\Users\Admin\Pictures\InitializeSync.crw.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\GrantProtect.tiff => C:\Users\Admin\Pictures\GrantProtect.tiff.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\SelectEdit.tif => C:\Users\Admin\Pictures\SelectEdit.tif.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\WaitExport.raw => C:\Users\Admin\Pictures\WaitExport.raw.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\MeasureWatch.tiff => C:\Users\Admin\Pictures\MeasureWatch.tiff.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Users\Admin\Pictures\GrantProtect.tiff ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Users\Admin\Pictures\MeasureWatch.tiff ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\UnlockExit.tif => C:\Users\Admin\Pictures\UnlockExit.tif.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\BlockHide.crw => C:\Users\Admin\Pictures\BlockHide.crw.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\RegisterUnblock.png => C:\Users\Admin\Pictures\RegisterUnblock.png.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File renamed C:\Users\Admin\Pictures\BlockInitialize.tif => C:\Users\Admin\Pictures\BlockInitialize.tif.83e2ce ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3188 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 7487 IoCs
Processes:
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HEADER.GIF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.DPV ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00546_.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOAT.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Extensions\external_extensions.json ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ro.pak ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222017.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01157_.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7B.GIF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCESS12.ACC ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00350_.WMF ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\83E2CE-Readme.txt ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Opulent.eftx ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1816 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5296 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 22761 IoCs
Processes:
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exepid process 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe Token: SeImpersonatePrivilege 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe Token: SeBackupPrivilege 6296 vssvc.exe Token: SeRestorePrivilege 6296 vssvc.exe Token: SeAuditPrivilege 6296 vssvc.exe Token: SeDebugPrivilege 5296 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.execmd.exedescription pid process target process PID 800 wrote to memory of 1816 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe vssadmin.exe PID 800 wrote to memory of 1816 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe vssadmin.exe PID 800 wrote to memory of 1816 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe vssadmin.exe PID 800 wrote to memory of 1816 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe vssadmin.exe PID 800 wrote to memory of 2232 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe notepad.exe PID 800 wrote to memory of 2232 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe notepad.exe PID 800 wrote to memory of 2232 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe notepad.exe PID 800 wrote to memory of 2232 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe notepad.exe PID 800 wrote to memory of 3188 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe cmd.exe PID 800 wrote to memory of 3188 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe cmd.exe PID 800 wrote to memory of 3188 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe cmd.exe PID 800 wrote to memory of 3188 800 ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe cmd.exe PID 3188 wrote to memory of 5296 3188 cmd.exe taskkill.exe PID 3188 wrote to memory of 5296 3188 cmd.exe taskkill.exe PID 3188 wrote to memory of 5296 3188 cmd.exe taskkill.exe PID 3188 wrote to memory of 5296 3188 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe"C:\Users\Admin\AppData\Local\Temp\ee531cd7011cb5c2625d40892b70cf7e3860dbb92648391068e1f340e5d6c47f.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\83E2CE-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\E9F2.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 8003⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E9F2.tmp.batMD5
88c6f82dba2b291b2910bc4c7a3a7037
SHA122a036caf94c6592b12f24b08b465c5a37aaa569
SHA25692724eb0d12a4386b567b6027f9302508cbaf0559184713636e73692bff3e9ff
SHA512bbd84eaeb10026856184766ea1c12673322f56337213f5126d8b7e2cff9ea6d1f25b3e802547ed9d628f0a70121a4c689ee8ae439ed751a05b89fc0e266e8f66
-
C:\Users\Admin\Desktop\83E2CE-Readme.txtMD5
06b9056f7d79827e8b5bedd05a689b34
SHA1b8617151173c754befc8e147cf8ebb52c0d92aa5
SHA256cd21c8e2e2297f7a9fcf2cdea82b29f94b36c00ab71c4c630c5cd376704ea860
SHA512369f1cfcc9f42077daf3f736f72505120a89a503984638a2aa637043b78ff8ac8663e245c3706787b387f3c5738cf755d7ddd7b5f05093b02a6fc5e4a06b21e5
-
memory/1816-0-0x0000000000000000-mapping.dmp
-
memory/2232-4-0x0000000000000000-mapping.dmp
-
memory/3188-7-0x0000000000000000-mapping.dmp
-
memory/5296-11-0x0000000000000000-mapping.dmp