Analysis
-
max time kernel
160s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe
Resource
win10v20201028
General
-
Target
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe
-
Size
69KB
-
MD5
5ce75526a25c81d0178d8092251013f0
-
SHA1
1e1b1c4ae648786fe429c9ddd2182e0d58bcf423
-
SHA256
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677
-
SHA512
740b9dba2119736e3b9e4c47654c264770d6bca4fe5b46ce32a33acfc09278a559cba9c72478d304e85654f381925e1204422b75c1e13fd26f4ab2511316e205
Malware Config
Extracted
C:\810DE7-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Music\810DE7-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnblockFormat.tiff => C:\Users\Admin\Pictures\UnblockFormat.tiff.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ImportRevoke.crw => C:\Users\Admin\Pictures\ImportRevoke.crw.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ApproveMount.png => C:\Users\Admin\Pictures\ApproveMount.png.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ClearReceive.raw => C:\Users\Admin\Pictures\ClearReceive.raw.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\DisableUnpublish.raw => C:\Users\Admin\Pictures\DisableUnpublish.raw.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ShowTrace.png => C:\Users\Admin\Pictures\ShowTrace.png.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\CompressInstall.tiff => C:\Users\Admin\Pictures\CompressInstall.tiff.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Users\Admin\Pictures\UnblockFormat.tiff 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Users\Admin\Pictures\CompressInstall.tiff 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\ImportUnlock.tif => C:\Users\Admin\Pictures\ImportUnlock.tif.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File renamed C:\Users\Admin\Pictures\InstallStep.crw => C:\Users\Admin\Pictures\InstallStep.crw.810de7 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 11824 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-100.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObjectLighted.fx 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_down.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60_altform-unplated.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-white.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_1c.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo1.targetsize-16.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-125.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\810DE7-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Wide.jpg 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-125.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\AppxManifest.xml 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\networkmanifest.xml 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNG 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-unplated.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ls_60x42.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\LargeTile.scale-125.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-30.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\Logo.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-white.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-200_contrast-white.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactions.winmd 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-200.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Came_To_Play_Unearned_small.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\drunk.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\810DE7-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\rs_16x11.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectSmallTile.scale-200.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_contrast-white.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\cork.jpg 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-125.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bandit.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\810DE7-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\810DE7-Readme.txt 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3244 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 45127 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exepid process 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe Token: SeImpersonatePrivilege 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe Token: SeBackupPrivilege 4872 vssvc.exe Token: SeRestorePrivilege 4872 vssvc.exe Token: SeAuditPrivilege 4872 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exedescription pid process target process PID 2208 wrote to memory of 3244 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe vssadmin.exe PID 2208 wrote to memory of 3244 2208 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe"C:\Users\Admin\AppData\Local\Temp\4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3244-0-0x0000000000000000-mapping.dmp