General
Target

162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe

Filesize

69KB

Completed

10-11-2020 15:27

Task

behavioral1

Score
10/10
MD5

18c32583a6fe320b4dc66a251be45e64

SHA1

c3d0c0568fa08b94172d88fc0c0795cf7da31b60

SHA256

162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98

SHA256

3faaed3f4aeda3f04a9325e20e9df5e907239c9329913d688009f008763b6960956df87d84c5cc809e2c9cbcbc9da12e6b0f6745c69e3ade3e0ad2ff0f747c1c

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\E4E0A7-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e4e0a7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e4e0a7: kkfDdOcMUT8yb+jldLKqt0sNPtPy1H7qB8vkzpcPnLgGajVRWn mY6xuui0A8NQhUY+TntV+trBfuMYcPRjQIrT+69QtcoDJaxPhX awYq/OgihY814pPB1iBtUFsALyZjQ2WCaXzOeqUBhXQasVTIse zj3gnFPFK71TRiKAWMJohRztye+2OkIZsGUxmruIG2OypBgKA8 pKj39SyaE2HqqYM//Tb45xRp+gsZ5lFF6VYmpwfML57GeWV/md YSvu5E21g084GVz6Z5hpKR2EbAaKFGpZI7WQQnAw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Roaming\E4E0A7-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e4e0a7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e4e0a7: kkfDdOcMUT8yb+jldLKqt0sNPtPy1H7qB8vkzpcPnLgGajVRWn mY6xuui0A8NQhUY+TntV+trBfuMYcPRjQIrT+69QtcoDJaxPhX awYq/OgihY814pPB1iBtUFsALyZjQ2WCaXzOeqUBhXQasVTIse zj3gnFPFK71TRiKAWMJohRztye+2OkIZsGUxmruIG2OypBgKA8 pKj39SyaE2HqqYM//Tb45xRp+gsZ5lFF6VYmpwfML57GeWV/md YSvu5E21g084GVz6Z5hpKR2EbAaKFGpZI7WQQnAw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e4e0a7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e4e0a7: kkfDdOcMUT8yb+jldLKqt0sNPtPy1H7qB8vkzpcPnLgGajVRWn mY6xuui0A8NQhUY+TntV+trBfuMYcPRjQIrT+69QtcoDJaxPhX awYq/OgihY814pPB1iBtUFsALyZjQ2WCaXzOeqUBhXQasVTIse zj3gnFPFK71TRiKAWMJohRztye+2OkIZsGUxmruIG2OypBgKA8 pKj39SyaE2HqqYM//Tb45xRp+gsZ5lFF6VYmpwfML57GeWV/md YSvu5E21g084GVz6Z5hpKR2EbAaKFGpZI7WQQnAw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Stationery\1033\E4E0A7-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e4e0a7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e4e0a7: kkfDdOcMUT8yb+jldLKqt0sNPtPy1H7qB8vkzpcPnLgGajVRWn mY6xuui0A8NQhUY+TntV+trBfuMYcPRjQIrT+69QtcoDJaxPhX awYq/OgihY814pPB1iBtUFsALyZjQ2WCaXzOeqUBhXQasVTIse zj3gnFPFK71TRiKAWMJohRztye+2OkIZsGUxmruIG2OypBgKA8 pKj39SyaE2HqqYM//Tb45xRp+gsZ5lFF6VYmpwfML57GeWV/md YSvu5E21g084GVz6Z5hpKR2EbAaKFGpZI7WQQnAw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e4e0a7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e4e0a7: kkfDdOcMUT8yb+jldLKqt0sNPtPy1H7qB8vkzpcPnLgGajVRWn mY6xuui0A8NQhUY+TntV+trBfuMYcPRjQIrT+69QtcoDJaxPhX awYq/OgihY814pPB1iBtUFsALyZjQ2WCaXzOeqUBhXQasVTIse zj3gnFPFK71TRiKAWMJohRztye+2OkIZsGUxmruIG2OypBgKA8 pKj39SyaE2HqqYM//Tb45xRp+gsZ5lFF6VYmpwfML57GeWV/md YSvu5E21g084GVz6Z5hpKR2EbAaKFGpZI7WQQnAw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e4e0a7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e4e0a7: kkfDdOcMUT8yb+jldLKqt0sNPtPy1H7qB8vkzpcPnLgGajVRWn mY6xuui0A8NQhUY+TntV+trBfuMYcPRjQIrT+69QtcoDJaxPhX awYq/OgihY814pPB1iBtUFsALyZjQ2WCaXzOeqUBhXQasVTIse zj3gnFPFK71TRiKAWMJohRztye+2OkIZsGUxmruIG2OypBgKA8 pKj39SyaE2HqqYM//Tb45xRp+gsZ5lFF6VYmpwfML57GeWV/md YSvu5E21g084GVz6Z5hpKR2EbAaKFGpZI7WQQnAw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures 12

Filter: none

Collection
Credential Access
Defense Evasion
Impact
Persistence
  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\RemoveStart.tiff162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File renamedC:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.e4e0a7162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File renamedC:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.e4e0a7162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    5720cmd.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Drops file in Program Files directory
    162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART1.BDR162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00483_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANE.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\E4E0A7-Readme.txt162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\fy.txt162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sk.pak162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File createdC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\E4E0A7-Readme.txt162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\E4E0A7-Readme.txt162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18233_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00253_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\GMT+5162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GR8GALRY.GRA162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Australia\Lindeman162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1412vssadmin.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    5920taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe

    Reported IOCs

    pidprocess
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
  • Suspicious use of AdjustPrivilegeToken
    162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exevssvc.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    Token: SeImpersonatePrivilege1940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    Token: SeBackupPrivilege7896vssvc.exe
    Token: SeRestorePrivilege7896vssvc.exe
    Token: SeAuditPrivilege7896vssvc.exe
    Token: SeDebugPrivilege5920taskkill.exe
  • Suspicious use of WriteProcessMemory
    162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1940 wrote to memory of 14121940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exevssadmin.exe
    PID 1940 wrote to memory of 14121940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exevssadmin.exe
    PID 1940 wrote to memory of 14121940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exevssadmin.exe
    PID 1940 wrote to memory of 14121940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exevssadmin.exe
    PID 1940 wrote to memory of 56081940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exenotepad.exe
    PID 1940 wrote to memory of 56081940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exenotepad.exe
    PID 1940 wrote to memory of 56081940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exenotepad.exe
    PID 1940 wrote to memory of 56081940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exenotepad.exe
    PID 1940 wrote to memory of 57201940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.execmd.exe
    PID 1940 wrote to memory of 57201940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.execmd.exe
    PID 1940 wrote to memory of 57201940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.execmd.exe
    PID 1940 wrote to memory of 57201940162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.execmd.exe
    PID 5720 wrote to memory of 59205720cmd.exetaskkill.exe
    PID 5720 wrote to memory of 59205720cmd.exetaskkill.exe
    PID 5720 wrote to memory of 59205720cmd.exetaskkill.exe
    PID 5720 wrote to memory of 59205720cmd.exetaskkill.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe
    "C:\Users\Admin\AppData\Local\Temp\162ae350c47c2e14864d0c0f927bf424eb6b844017329c9b1e216f3e2d724d98.exe"
    Modifies extensions of user files
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      Interacts with shadow copies
      PID:1412
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E4E0A7-Readme.txt"
      PID:5608
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2AB8.tmp.bat"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:5720
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1940
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        PID:5920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:7896
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\2AB8.tmp.bat

                  MD5

                  d8fe8a214fba930a39f6aab3a344889b

                  SHA1

                  52961dd3e863088363abebec9a629d73a1365917

                  SHA256

                  64eb1fe708c2f9dfc2468f4467cec20d6e83b93051763b31d1be7289d42d4e68

                  SHA512

                  e3dba09e135665fa6b7f5907ec54bffca0596a0dbd2a87d42b8306ca1fbce137e40c26de29b79312121ec761682311d94d130eb53e087fc79e805a6ba8d5a90a

                • C:\Users\Admin\Desktop\E4E0A7-Readme.txt

                  MD5

                  e8b552facdf573ed5f2ae514c9a879ab

                  SHA1

                  82d78d9cd9ddca3e55cb1cb4f92fe6c872af0568

                  SHA256

                  b3ce97abf2810f2490cd6f010fda3f1b6f6179fbc2b96baacc339f1ba00977f2

                  SHA512

                  0e03082970a12ad21224c5894c5ad61a836718e448ae83df03533b4fba65f1d53ba9092416a343f5f471b0f90cd31409da7081db61b65ec839496c95292cef61

                • memory/1412-0-0x0000000000000000-mapping.dmp

                • memory/5608-4-0x0000000000000000-mapping.dmp

                • memory/5720-7-0x0000000000000000-mapping.dmp

                • memory/5920-12-0x0000000000000000-mapping.dmp