Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 15:26
Static task
static1
Behavioral task
behavioral1
Sample
58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe
-
Size
94KB
-
MD5
73de5babf166f28dc81d6c2faa369379
-
SHA1
e393a9ecf0d0a8babaa5efcc34f10577aff1cad1
-
SHA256
58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
-
SHA512
d1a473ce9af849820b8cc9d777478e2a69293f3471ee3120f9ca96c43af922e0d661048d2d36688a62a63aa185728f83ee32f5a67ddcc0d1633c5bfe46c5ea51
Score
10/10
Malware Config
Extracted
Path
C:\odt\C84F5-Readme.txt
Family
netwalker
Ransom Note
Hi!
Your files are encrypted.
All encrypted files for this computer has extension: .c84f5
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised,
rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you,
it could be files on the network belonging to other users, sure you want to take that responsibility?
--
Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover.
We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.
For us this is just business and to prove to you our seriousness, we will decrypt you some files for free,
but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.
Contact us:
[email protected]
[email protected]
Don't forget to include your code in the email:
{code_345f15fb_c84f5:
uMsMYFsYIBnrzmf6+u2aDiEAl/AHDxDgG37vIR8PhsZ+/ebYu+
02wKgFt9+rRb9StiZjApAkMOWi+j+mgi2V3pLAeKmbecN/+xVf
NK79JF/NMAkt/Mz18hNxSx40IsVmJtDG5HOJPdBbVkw+zrL18f
Mw2WlbMLGkRi6D/meqq+jcgKA7pV6uJSpYwcs+9EbACSrNwg7I
1HyCiTqYm25BODjyEqYuC2DQXW2z8CaqQuoktm9mibnII9qPP5
HnI5N2gYWkpfOjOVj2J9bWa1KUxbfk+ts=}
Extracted
Path
C:\C84F5-Readme.txt
Family
netwalker
Ransom Note
Hi!
Your files are encrypted.
All encrypted files for this computer has extension: .c84f5
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised,
rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you,
it could be files on the network belonging to other users, sure you want to take that responsibility?
--
Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover.
We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.
For us this is just business and to prove to you our seriousness, we will decrypt you some files for free,
but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.
Contact us:
[email protected]
[email protected]
Don't forget to include your code in the email:
{code_345f15fb_c84f5:
uMsMYFsYIBnrzmf6+u2aDiEAl/AHDxDgG37vIR8PhsZ+/ebYu+
02wKgFt9+rRb9StiZjApAkMOWi+j+mgi2V3pLAeKmbecN/+xVf
NK79JF/NMAkt/Mz18hNxSx40IsVmJtDG5HOJPdBbVkw+zrL18f
Mw2WlbMLGkRi6D/meqq+jcgKA7pV6uJSpYwcs+9EbACSrNwg7I
1HyCiTqYm25BODjyEqYuC2DQXW2z8CaqQuoktm9mibnII9qPP5
HnI5N2gYWkpfOjOVj2J9bWa1KUxbfk+ts=}Hi!
Your files are encrypted.
All encrypted files for this computer has extension: .c84f5
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised,
rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you,
it could be files on the network belonging to other users, sure you want to take that responsibility?
--
Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover.
We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.
For us this is just business and to prove to you our seriousness, we will decrypt you some files for free,
but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.
Contact us:
[email protected]
[email protected]
Don't forget to include your code in the email:
{code_345f15fb_c84f5:
uMsMYFsYIBnrzmf6+u2aDiEAl/AHDxDgG37vIR8PhsZ+/ebYu+
02wKgFt9+rRb9StiZjApAkMOWi+j+mgi2V3pLAeKmbecN/+xVf
NK79JF/NMAkt/Mz18hNxSx40IsVmJtDG5HOJPdBbVkw+zrL18f
Mw2WlbMLGkRi6D/meqq+jcgKA7pV6uJSpYwcs+9EbACSrNwg7I
1HyCiTqYm25BODjyEqYuC2DQXW2z8CaqQuoktm9mibnII9qPP5
HnI5N2gYWkpfOjOVj2J9bWa1KUxbfk+ts=}
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
resource yara_rule behavioral1/memory/3336-118-0x0000000003030000-0x000000000304B000-memory.dmp netwalker_ransomware behavioral1/memory/3960-119-0x00000000007A0000-0x00000000007BB000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 3336 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c84f5dbf = "C:\\Program Files (x86)\\c84f5dbf\\c84f5dbf.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3808 set thread context of 3336 3808 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe 69 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_altform-unplated_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\MedTile.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ae_16x11.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\All_cards.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\C84F5-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigEar.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_40x40x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\SmallTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\dz_60x42.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-30.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\LargeTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\C84F5-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-US\doc_offline_getconnected.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-40.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\C84F5-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12h.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b93b0697.pri explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Right_Angle_Triangle.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tv_16x11.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_unselected_18.svg explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer16.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Alcatraz_Escape_.png explorer.exe File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\C84F5-Readme.txt explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM explorer.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ko.properties explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-unplated.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3584 vssadmin.exe 4028 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3336 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe 3960 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3808 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe 3336 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3960 explorer.exe Token: SeBackupPrivilege 692 vssvc.exe Token: SeRestorePrivilege 692 vssvc.exe Token: SeAuditPrivilege 692 vssvc.exe Token: SeDebugPrivilege 3336 explorer.exe Token: SeImpersonatePrivilege 3336 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5700 notepad.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3808 wrote to memory of 3336 3808 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe 69 PID 3808 wrote to memory of 3336 3808 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe 69 PID 3808 wrote to memory of 3336 3808 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe 69 PID 3336 wrote to memory of 3960 3336 explorer.exe 70 PID 3336 wrote to memory of 3960 3336 explorer.exe 70 PID 3336 wrote to memory of 3960 3336 explorer.exe 70 PID 3960 wrote to memory of 3584 3960 explorer.exe 71 PID 3960 wrote to memory of 3584 3960 explorer.exe 71 PID 3336 wrote to memory of 5700 3336 explorer.exe 81 PID 3336 wrote to memory of 5700 3336 explorer.exe 81 PID 3336 wrote to memory of 5700 3336 explorer.exe 81 PID 3336 wrote to memory of 4028 3336 explorer.exe 82 PID 3336 wrote to memory of 4028 3336 explorer.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.bin.sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3584
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\C84F5-Readme.txt"3⤵
- Suspicious use of FindShellTrayWindow
PID:5700
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4028
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692