Analysis
-
max time kernel
153s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe
Resource
win10v20201028
General
-
Target
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe
-
Size
69KB
-
MD5
2b0384be06d20d3f4dd95cb5dda08683
-
SHA1
0a8516e8309816c029958b8d8485bc3cd4daa01d
-
SHA256
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde
-
SHA512
07528a739430be0c8b3074d0c7b4f04e7f9d99acd30b87c9238b66e8ad2af811f4ac7eb0702f2527970d8ae36780c87dc39d6acde397b9c605a54f5b9fe1f1d2
Malware Config
Extracted
C:\odt\068E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Recovery\WindowsRE\068E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\068E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Desktop\068E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\068E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PushDisable.tiff 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Users\Admin\Pictures\FindResize.tiff 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\CompressDisable.raw => C:\Users\Admin\Pictures\CompressDisable.raw.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\SubmitOpen.tif => C:\Users\Admin\Pictures\SubmitOpen.tif.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\UnregisterDisable.png => C:\Users\Admin\Pictures\UnregisterDisable.png.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\ConfirmRevoke.raw => C:\Users\Admin\Pictures\ConfirmRevoke.raw.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\PublishRestart.raw => C:\Users\Admin\Pictures\PublishRestart.raw.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\PushDisable.tiff => C:\Users\Admin\Pictures\PushDisable.tiff.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\DisconnectInvoke.tif => C:\Users\Admin\Pictures\DisconnectInvoke.tif.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File renamed C:\Users\Admin\Pictures\FindResize.tiff => C:\Users\Admin\Pictures\FindResize.tiff.068e94 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 14911 IoCs
Processes:
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_PenClick_LTR_Tablet.mp4 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4608_20x20x32.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\13c.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-125.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\CheckMark.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\THEMES.INF 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\JpegSurface\JpegControl.xaml 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\SmallTile.scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\PlaylistMediumTile.scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\skype.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\crying.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1251_20x20x32.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Fonts\MapsMDL2.2.01.ttf 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-black.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-96_altform-unplated.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12d.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7989_48x48x32.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PhoneNumber.model 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_store.targetsize-48.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-72_altform-unplated.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20_altform-unplated.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-150.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tf_60x42.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Animation\crown_2.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\se_60x42.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-125.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.contrast-high_scale-125.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\Logo.scale-150.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\PlaneCutKeepBottom.scale-100.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-72.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\068E94-Readme.txt 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_24x24x32.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-36.png 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2732 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 43235 IoCs
Processes:
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exepid process 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exevssvc.exedescription pid process Token: SeDebugPrivilege 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe Token: SeImpersonatePrivilege 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe Token: SeBackupPrivilege 5712 vssvc.exe Token: SeRestorePrivilege 5712 vssvc.exe Token: SeAuditPrivilege 5712 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exedescription pid process target process PID 592 wrote to memory of 2732 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe vssadmin.exe PID 592 wrote to memory of 2732 592 8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe"C:\Users\Admin\AppData\Local\Temp\8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2732-0-0x0000000000000000-mapping.dmp