Analysis
-
max time kernel
162s -
max time network
169s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe
Resource
win10v20201028
General
-
Target
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe
-
Size
69KB
-
MD5
5ce75526a25c81d0178d8092251013f0
-
SHA1
1e1b1c4ae648786fe429c9ddd2182e0d58bcf423
-
SHA256
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677
-
SHA512
740b9dba2119736e3b9e4c47654c264770d6bca4fe5b46ce32a33acfc09278a559cba9c72478d304e85654f381925e1204422b75c1e13fd26f4ab2511316e205
Malware Config
Extracted
C:\Users\Admin\8FC5A3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Downloads\8FC5A3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\AppData\Roaming\8FC5A3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.8fc5a3 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 7475 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianResume.Dotx 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Init.xsn 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\MEIPreload\preloaded_data.pb 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\8FC5A3-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_K_COL.HXK 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baku 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19986_.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\gu.pak 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\Microsoft Office\Office14\1033\8FC5A3-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285410.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.REST.IDX_DLL 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.CMP 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\8FC5A3-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Sofia 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15185_.GIF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\8FC5A3-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1304 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 22719 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exepid process 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe Token: SeImpersonatePrivilege 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe Token: SeBackupPrivilege 7128 vssvc.exe Token: SeRestorePrivilege 7128 vssvc.exe Token: SeAuditPrivilege 7128 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exedescription pid process target process PID 1852 wrote to memory of 1304 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe vssadmin.exe PID 1852 wrote to memory of 1304 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe vssadmin.exe PID 1852 wrote to memory of 1304 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe vssadmin.exe PID 1852 wrote to memory of 1304 1852 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe"C:\Users\Admin\AppData\Local\Temp\4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-0-0x0000000000000000-mapping.dmp