Overview
overview
10Static
static
10155eaec829...23.exe
windows7_x64
10155eaec829...23.exe
windows10_x64
108a68388787...97.exe
windows7_x64
108a68388787...97.exe
windows10_x64
109a9bf626d4...d6.exe
windows7_x64
109a9bf626d4...d6.exe
windows10_x64
10a9fb354944...06.exe
windows7_x64
10a9fb354944...06.exe
windows10_x64
10Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
01-07-2021 04:38
Behavioral task
behavioral1
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win10v20210410
General
-
Target
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
-
Size
66KB
-
MD5
5e7d419747ee589f724a80d9ac8b7186
-
SHA1
b91e9178b054811312c83f3d81cc4153d2fa38ba
-
SHA256
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6
-
SHA512
bdd91c5551df4a3adbe56ebcf2045cad1ed924627c16236ef7579ee73974c3d784a0fc2624ecb143912315231c9565854294d021d01549f61140efe1ec2b6c23
Malware Config
Extracted
C:\F43E65-Readme.txt
netwalker
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Favorites\Microsoft Websites\F43E65-Readme.txt
netwalker
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\F43E65-Readme.txt
netwalker
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File renamed C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File renamed C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File renamed C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.f43e65 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 5856 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7-zip.chm 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SNET.NET.XML 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\F43E65-Readme.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00018_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\F43E65-Readme.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2008 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5004 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exepid process 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe Token: SeImpersonatePrivilege 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe Token: SeDebugPrivilege 5004 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.execmd.exedescription pid process target process PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 2008 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe vssadmin.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 4708 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe notepad.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 1964 wrote to memory of 5856 1964 9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe cmd.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe PID 5856 wrote to memory of 5004 5856 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe"C:\Users\Admin\AppData\Local\Temp\9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2008 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F43E65-Readme.txt"2⤵PID:4708
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\EABC.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:5856 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 19643⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
18230297dbba850a25b6dc479641097c
SHA1b4787b6085c0ce58c2a7a80f7c92f60b840d738d
SHA2564596e48e3659998eac5775ea2cac992168ee92e9fbfc141f249e1240a83f3447
SHA512bd9564aa127259b4dd9e3668d4982065dbc86085a7d51e6d374193c6ca76222fa329d97d2f2808a324384b4b66e469600d602761e4987576a5bb410b3cbc94fd
-
MD5
555dd1aa2511e069d0ae620724a106ec
SHA15acc903c191b8cf63f5f960d154dc290da5e24d3
SHA2565e4025cf29fdb7cc6104e51701e6894397619af51581ccdc3d722954615d6b44
SHA512543743141b64cec0c4cca4cfd355c947cecf9d58655e98ee0fe5563ad45b442d932d13e026fe5877c926e6c29d5e1ce46ed07a79bbaae419ab52f77a0afcb01a