Analysis
-
max time kernel
163s -
max time network
169s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe
Resource
win10v20201028
General
-
Target
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe
-
Size
69KB
-
MD5
addc865f61694906aa18756f722e1b56
-
SHA1
c4483ac873b4ee8623a65e682ffaa0535091f56a
-
SHA256
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043
-
SHA512
6243310416203edf01d2c797c282005c20c49a22c8ab64b8a51967dda7e50f1a1ac89a61694b1277019c5373f3bf7262a13e783d4018884bbb9f3c9703bf9e34
Malware Config
Extracted
C:\Users\Public\Libraries\591B12-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\AppData\Roaming\591B12-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\591B12-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exedescription ioc process File renamed C:\Users\Admin\Pictures\RegisterUndo.tif => C:\Users\Admin\Pictures\RegisterUndo.tif.591b12 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Users\Admin\Pictures\SkipUnblock.tiff 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Users\Admin\Pictures\FindSuspend.tiff 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\SkipUnblock.tiff => C:\Users\Admin\Pictures\SkipUnblock.tiff.591b12 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\PingUpdate.png => C:\Users\Admin\Pictures\PingUpdate.png.591b12 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\FindSuspend.tiff => C:\Users\Admin\Pictures\FindSuspend.tiff.591b12 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File renamed C:\Users\Admin\Pictures\ResolveUse.crw => C:\Users\Admin\Pictures\ResolveUse.crw.591b12 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 14845 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.scale-150.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-100.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Failed.m4a 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-150.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\send.white.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-150_contrast-black.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\591B12-Readme.txt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\591B12-Readme.txt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\avatar.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\net.properties 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\hk_16x11.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.scale-125.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80_altform-unplated.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-200.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\trophystar.3mf 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\7.rsrc 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-GB\tokens_enGB.xml 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\5.jpg 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-up.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-high.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\11s.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\591B12-Readme.txt 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\AlphaBlendingEffectPS_Y.cso 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-400.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Tile\Sticker.png 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\ui-strings.js 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.winmd 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_IT-IT.respack 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3916 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 42558 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exepid process 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exevssvc.exedescription pid process Token: SeDebugPrivilege 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe Token: SeImpersonatePrivilege 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe Token: SeBackupPrivilege 9484 vssvc.exe Token: SeRestorePrivilege 9484 vssvc.exe Token: SeAuditPrivilege 9484 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exedescription pid process target process PID 728 wrote to memory of 3916 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe vssadmin.exe PID 728 wrote to memory of 3916 728 444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe"C:\Users\Admin\AppData\Local\Temp\444169e156b48a54e9f96b6b3a1c333670546663c8a2e14e561884c052420043.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3916-0-0x0000000000000000-mapping.dmp