Analysis
-
max time kernel
1022s -
max time network
1558s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
27-10-2021 09:06
Static task
static1
Behavioral task
behavioral1
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win11
Behavioral task
behavioral3
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win10-en-20211014
General
-
Target
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Malware Config
Extracted
C:\odt\6246D-Readme.txt
netwalker
knoocknoo@cock.li
eeeooppaaaxxx@tuta.io
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral3/memory/2672-118-0x0000000002B80000-0x0000000002B9B000-memory.dmp netwalker_ransomware behavioral3/memory/1008-119-0x0000000000270000-0x000000000028B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MoveRegister.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\ReceiveSkip.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2672 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6246d403 = "C:\\Program Files (x86)\\6246d403\\6246d403.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exedescription pid process target process PID 3744 set thread context of 2672 3744 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bn_60x42.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-80_altform-unplated.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_over.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dull.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\LargeTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\er_60x42.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-125.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\6246D-Readme.txt explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\6246D-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\6246D-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu_black-up.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page1.jpg explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main.css explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_32x32x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ru_60x42.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\6246D-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\paperbag.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-40.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-16_altform-unplated.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf explorer.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\6246D-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\6246D-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_filter_18.svg explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\LargeTile.scale-100.png explorer.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightItalic.ttf explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square310x310Logo.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png explorer.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\6246D-Readme.txt explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\6246D-Readme.txt explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\6246D-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-16.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\1s.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\6246D-Readme.txt explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3336 vssadmin.exe 7644 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeexplorer.exepid process 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4660 taskmgr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exepid process 3744 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe 2672 explorer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
explorer.exevssvc.exeexplorer.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1008 explorer.exe Token: SeBackupPrivilege 648 vssvc.exe Token: SeRestorePrivilege 648 vssvc.exe Token: SeAuditPrivilege 648 vssvc.exe Token: SeDebugPrivilege 2672 explorer.exe Token: SeImpersonatePrivilege 2672 explorer.exe Token: SeDebugPrivilege 4660 taskmgr.exe Token: SeSystemProfilePrivilege 4660 taskmgr.exe Token: SeCreateGlobalPrivilege 4660 taskmgr.exe Token: 33 4660 taskmgr.exe Token: SeIncBasePriorityPrivilege 4660 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe 4660 taskmgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exeexplorer.exedescription pid process target process PID 3744 wrote to memory of 2672 3744 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 3744 wrote to memory of 2672 3744 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 3744 wrote to memory of 2672 3744 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 2672 wrote to memory of 1008 2672 explorer.exe explorer.exe PID 2672 wrote to memory of 1008 2672 explorer.exe explorer.exe PID 2672 wrote to memory of 1008 2672 explorer.exe explorer.exe PID 1008 wrote to memory of 3336 1008 explorer.exe vssadmin.exe PID 1008 wrote to memory of 3336 1008 explorer.exe vssadmin.exe PID 2672 wrote to memory of 8056 2672 explorer.exe notepad.exe PID 2672 wrote to memory of 8056 2672 explorer.exe notepad.exe PID 2672 wrote to memory of 8056 2672 explorer.exe notepad.exe PID 2672 wrote to memory of 7644 2672 explorer.exe vssadmin.exe PID 2672 wrote to memory of 7644 2672 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe"C:\Users\Admin\AppData\Local\Temp\de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\6246D-Readme.txt"3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\6246D-Readme.txtMD5
59f004ea52c05aa8e6adb51fd6d3be3e
SHA1c1c5c546c913bc00cc5ac0fd0c234795ae056a45
SHA2568b0e2c9ac5cbd1266c80361d1017692acf07f2af2e2991b03b1ac48b41b4d1df
SHA512f1c0dc27eb20e4ae331bc2ea524ac52160fc50c71ab0b1d04e56130cf7fe48189abf0485a2ce248aceb2b205e86cf6dedac9d16e09055f7c649741b7742c3f22
-
memory/1008-116-0x0000000000000000-mapping.dmp
-
memory/1008-119-0x0000000000270000-0x000000000028B000-memory.dmpFilesize
108KB
-
memory/2672-115-0x0000000000000000-mapping.dmp
-
memory/2672-118-0x0000000002B80000-0x0000000002B9B000-memory.dmpFilesize
108KB
-
memory/3336-117-0x0000000000000000-mapping.dmp
-
memory/7644-121-0x0000000000000000-mapping.dmp
-
memory/8056-120-0x0000000000000000-mapping.dmp