Analysis
-
max time kernel
159s -
max time network
162s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe
Resource
win10v20210408
General
-
Target
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe
-
Size
69KB
-
MD5
3f3cc36f4298c4db8e77794eb96db81a
-
SHA1
2861da47ebc33a57aa93e483b1ea946a5b33b345
-
SHA256
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc
-
SHA512
8cab92e54aeda3be69ae0bbdd47e15be43e57176fcaafd92afa2a2f68afb0099caf65bcb38359395f6f84616af07f928e7aa2fb576e7ee0130f42a1fdb00d505
Malware Config
Extracted
C:\ProgramData\Microsoft\User Account Pictures\5446E1-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Downloads\5446E1-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SendJoin.tiff 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\CompleteDeny.tif => C:\Users\Admin\Pictures\CompleteDeny.tif.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\GetWrite.png => C:\Users\Admin\Pictures\GetWrite.png.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\ExitTest.tif => C:\Users\Admin\Pictures\ExitTest.tif.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\ResolveSave.tiff => C:\Users\Admin\Pictures\ResolveSave.tiff.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Users\Admin\Pictures\UseNew.tiff 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Users\Admin\Pictures\ResolveSave.tiff 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\RevokeSave.raw => C:\Users\Admin\Pictures\RevokeSave.raw.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\SendJoin.tiff => C:\Users\Admin\Pictures\SendJoin.tiff.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\UseNew.tiff => C:\Users\Admin\Pictures\UseNew.tiff.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File renamed C:\Users\Admin\Pictures\SearchSet.raw => C:\Users\Admin\Pictures\SearchSet.raw.5446e1 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Maldives 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_ON.GIF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\security\local_policy.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\5446E1-Readme.txt 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mspub.exe.manifest 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200189.WMF 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1984 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exepid process 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe Token: SeImpersonatePrivilege 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe Token: SeBackupPrivilege 5152 vssvc.exe Token: SeRestorePrivilege 5152 vssvc.exe Token: SeAuditPrivilege 5152 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exedescription pid process target process PID 2028 wrote to memory of 1984 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe vssadmin.exe PID 2028 wrote to memory of 1984 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe vssadmin.exe PID 2028 wrote to memory of 1984 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe vssadmin.exe PID 2028 wrote to memory of 1984 2028 6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe"C:\Users\Admin\AppData\Local\Temp\6bd34d33ccb47430751ae964ca56ec206da0fa3bdc5eb670fc54edf4c11629bc.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1984-61-0x0000000000000000-mapping.dmp
-
memory/2028-60-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/2028-62-0x0000000028DF0000-0x0000000028E6D000-memory.dmpFilesize
500KB
-
memory/2028-63-0x00000000134A0000-0x000000001351D000-memory.dmpFilesize
500KB