6059871321227264.zip
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
66KB
01-07-2021 04:41
5e7d419747ee589f724a80d9ac8b7186
b91e9178b054811312c83f3d81cc4153d2fa38ba
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6
Extracted
Path | C:\F43E65-Readme.txt |
Family | netwalker |
Ransom Note |
Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .f43e65
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_f43e65:
tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP
SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj
ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd
vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb
Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/
quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
|
URLs |
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion |
Extracted
Path | C:\Users\Admin\Favorites\Microsoft Websites\F43E65-Readme.txt |
Family | netwalker |
Ransom Note |
Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .f43e65
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_f43e65:
tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP
SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj
ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd
vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb
Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/
quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .f43e65
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_f43e65:
tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP
SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj
ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd
vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb
Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/
quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
|
URLs |
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion |
Extracted
Path | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\F43E65-Readme.txt |
Family | netwalker |
Ransom Note |
Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .f43e65
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_f43e65:
tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP
SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj
ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd
vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb
Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/
quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .f43e65
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_f43e65:
tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP
SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj
ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd
vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb
Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/
quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .f43e65
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_f43e65:
tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP
SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj
ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd
vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb
Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/
quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
|
URLs |
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion |
Filter: none
-
Netwalker Ransomware
Description
Ransomware family with multiple versions. Also known as MailTo.
Tags
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies extensions of user files9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File renamed C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File renamed C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File renamed C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File renamed C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe -
Deletes itselfcmd.exe
Reported IOCs
pid process 5856 cmd.exe -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Drops file in Program Files directory9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Reported IOCs
description ioc process File opened for modification C:\Program Files\7-Zip\7-zip.chm 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SNET.NET.XML 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\F43E65-Readme.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00018_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\F43E65-Readme.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe -
Interacts with shadow copiesvssadmin.exe
Description
Shadow copies are often targeted by ransomware to inhibit system recovery.
Tags
TTPs
Reported IOCs
pid process 2008 vssadmin.exe -
Kills process with taskkilltaskkill.exe
Tags
Reported IOCs
pid process 5004 taskkill.exe -
Suspicious behavior: EnumeratesProcesses9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Reported IOCs
pid process 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe -
Suspicious use of AdjustPrivilegeToken9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exevssvc.exetaskkill.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe Token: SeImpersonatePrivilege 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe Token: SeDebugPrivilege 5004 taskkill.exe -
Suspicious use of WriteProcessMemory9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.execmd.exe
Reported IOCs
description pid process target process PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe
-
C:\Users\Admin\AppData\Local\Temp\9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe"C:\Users\Admin\AppData\Local\Temp\9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe"Modifies extensions of user filesDrops file in Program Files directorySuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietInteracts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F43E65-Readme.txt"
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\EABC.tmp.bat"Deletes itselfSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 1964Kills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EABC.tmp.bat
MD518230297dbba850a25b6dc479641097c
SHA1b4787b6085c0ce58c2a7a80f7c92f60b840d738d
SHA2564596e48e3659998eac5775ea2cac992168ee92e9fbfc141f249e1240a83f3447
SHA512bd9564aa127259b4dd9e3668d4982065dbc86085a7d51e6d374193c6ca76222fa329d97d2f2808a324384b4b66e469600d602761e4987576a5bb410b3cbc94fd
-
C:\Users\Admin\Desktop\F43E65-Readme.txt
MD5555dd1aa2511e069d0ae620724a106ec
SHA15acc903c191b8cf63f5f960d154dc290da5e24d3
SHA2565e4025cf29fdb7cc6104e51701e6894397619af51581ccdc3d722954615d6b44
SHA512543743141b64cec0c4cca4cfd355c947cecf9d58655e98ee0fe5563ad45b442d932d13e026fe5877c926e6c29d5e1ce46ed07a79bbaae419ab52f77a0afcb01a
-
memory/1964-59-0x0000000076A81000-0x0000000076A83000-memory.dmp
-
memory/2008-60-0x0000000000000000-mapping.dmp
-
memory/4708-61-0x0000000000000000-mapping.dmp
-
memory/5004-65-0x0000000000000000-mapping.dmp
-
memory/5856-63-0x0000000000000000-mapping.dmp