Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe
Resource
win10v20201028
General
-
Target
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe
-
Size
69KB
-
MD5
9172586c2f870ab76eb0852d1f4dfaea
-
SHA1
69e858f578fb0e7fdfb1d26db52dd6a95f5802ff
-
SHA256
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49
-
SHA512
a44bfdb4a86bfd9446015f6eaf4103dcf455ce1b56d38b0307251f1bc5187a036e85de2b2b8cd1d959dd6df13675d8fa64c1a8c60b73845d32897a0c4f360ed4
Malware Config
Extracted
C:\Program Files\Google\Chrome\Application\5EE731-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\5EE731-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\AppData\Roaming\5EE731-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Documents\5EE731-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\DebugRepair.tif => C:\Users\Admin\Pictures\DebugRepair.tif.5ee731 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 5396 IoCs
Processes:
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\5EE731-Readme.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285750.WMF 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOAT.WMF 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ORG97R.SAM 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\security\trusted.libraries 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\5EE731-Readme.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santarem 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\5EE731-Readme.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Creston 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\5EE731-Readme.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\5EE731-Readme.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2004 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 25021 IoCs
Processes:
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exepid process 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe Token: SeImpersonatePrivilege 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe Token: SeBackupPrivilege 3108 vssvc.exe Token: SeRestorePrivilege 3108 vssvc.exe Token: SeAuditPrivilege 3108 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exedescription pid process target process PID 684 wrote to memory of 2004 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe vssadmin.exe PID 684 wrote to memory of 2004 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe vssadmin.exe PID 684 wrote to memory of 2004 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe vssadmin.exe PID 684 wrote to memory of 2004 684 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe"C:\Users\Admin\AppData\Local\Temp\167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-0-0x0000000000000000-mapping.dmp