Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe
Resource
win10v20201028
General
-
Target
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe
-
Size
69KB
-
MD5
addc865f61694906aa18756f722e1b56
-
SHA1
c4483ac873b4ee8623a65e682ffaa0535091f56a
-
SHA256
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043
-
SHA512
6243310416203edf01d2c797c282005c20c49a22c8ab64b8a51967dda7e50f1a1ac89a61694b1277019c5373f3bf7262a13e783d4018884bbb9f3c9703bf9e34
Malware Config
Extracted
C:\Program Files (x86)\Common Files\Adobe AIR\57A070-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\Java\jdk1.7.0_80\57A070-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\57A070-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\StepJoin.tiff 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\RequestSet.tif => C:\Users\Admin\Pictures\RequestSet.tif.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\StepJoin.tiff => C:\Users\Admin\Pictures\StepJoin.tiff.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\SelectMove.png => C:\Users\Admin\Pictures\SelectMove.png.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\EnableLimit.png => C:\Users\Admin\Pictures\EnableLimit.png.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\RedoRevoke.png => C:\Users\Admin\Pictures\RedoRevoke.png.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Users\Admin\Pictures\RemoveDisconnect.tiff 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Users\Admin\Pictures\RestoreRevoke.tiff 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\RemoveDisconnect.tiff => C:\Users\Admin\Pictures\RemoveDisconnect.tiff.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\MergeFind.tif => C:\Users\Admin\Pictures\MergeFind.tif.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\RestoreRevoke.tiff => C:\Users\Admin\Pictures\RestoreRevoke.tiff.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\EnterSplit.tif => C:\Users\Admin\Pictures\EnterSplit.tif.57a070 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3196 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 7474 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98.POC 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Monaco 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1B.GIF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeLetter.Dotx 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\57A070-Readme.txt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANE.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageStyle.css 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Essential.thmx 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belem 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Technic.thmx 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1288 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3264 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 20306 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exepid process 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe Token: SeImpersonatePrivilege 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe Token: SeBackupPrivilege 5292 vssvc.exe Token: SeRestorePrivilege 5292 vssvc.exe Token: SeAuditPrivilege 5292 vssvc.exe Token: SeDebugPrivilege 3264 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.execmd.exedescription pid process target process PID 1084 wrote to memory of 1288 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe vssadmin.exe PID 1084 wrote to memory of 1288 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe vssadmin.exe PID 1084 wrote to memory of 1288 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe vssadmin.exe PID 1084 wrote to memory of 1288 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe vssadmin.exe PID 1084 wrote to memory of 1300 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe notepad.exe PID 1084 wrote to memory of 1300 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe notepad.exe PID 1084 wrote to memory of 1300 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe notepad.exe PID 1084 wrote to memory of 1300 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe notepad.exe PID 1084 wrote to memory of 3196 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe cmd.exe PID 1084 wrote to memory of 3196 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe cmd.exe PID 1084 wrote to memory of 3196 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe cmd.exe PID 1084 wrote to memory of 3196 1084 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe cmd.exe PID 3196 wrote to memory of 3264 3196 cmd.exe taskkill.exe PID 3196 wrote to memory of 3264 3196 cmd.exe taskkill.exe PID 3196 wrote to memory of 3264 3196 cmd.exe taskkill.exe PID 3196 wrote to memory of 3264 3196 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe"C:\Users\Admin\AppData\Local\Temp\444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\57A070-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ECCF.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 10843⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ECCF.tmp.batMD5
f4498f15a0e5883e6759b019ef17e4d4
SHA131688ee482e6c072b495b2bfff0a399cc6f70726
SHA2560b42bb3a2fd15529c144794110d27994b82eeeeeb97a4c7758407fba184cd303
SHA512b78975c11b9759052b98d4d7629b5f31f6ae67a85f0041dfc1813cfa42c43a2beaa610953fae920428feb0d2d7198b58dab3e9cc63a8f17b26d01a193967c660
-
C:\Users\Admin\Desktop\57A070-Readme.txtMD5
dfa91257c2e9ecd8c2ac1923779fb4bc
SHA1f38c6567a1ea3dbd7ecf903311000d5457652986
SHA25644432709d1c83a168e552b242b09ba50a1feefdf0c5c4510bbd3cd16968dcb69
SHA51250916e1f3b8c641dcd953450044e133c272b9daaaa09216d080b9410a4ad15f1bbcfda6c3669c24e984e4efdb4ad624782985df82460a2f8c52d84a303a5053c
-
memory/1288-0-0x0000000000000000-mapping.dmp
-
memory/1300-3-0x0000000000000000-mapping.dmp
-
memory/3196-4-0x0000000000000000-mapping.dmp
-
memory/3264-7-0x0000000000000000-mapping.dmp