Analysis
-
max time kernel
162s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 01:34
Static task
static1
Behavioral task
behavioral1
Sample
220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe
-
Size
72KB
-
MD5
4bf0879dcf5401d92697d1456673763b
-
SHA1
ad67118bd57aa7e2ba8b657cf1d54613adc98775
-
SHA256
220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652
-
SHA512
1ef2b9a72fff5b66284be6aa099ddec99a4a886a861c7315c15c533bf5b0871e5c5e6b0f77268638d6b879d26110a44e17e8d71206b0627f6a7b619238af14c2
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\3FD3C1-Readme.txt
Family
netwalker
Ransom Note
Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension: .3fd3c1
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_3fd3c1:
NtlD+3BP0OWn9DBgvvXSllNhprWggQ4aXtHCTw0XQTbAl3g3mm
Q02n852aEUBLZmJFpo17kHwFm+Sd846VOBybQO+VdAC+QC41Zj
AjqsHUGZaz5q6CYbZJIlCfwKNcuOgr9s9l7OnvO7FMmUjAmfuc
kDk+NbCh9dGK7KQ/iFvUiSZwftVi6prvbgFTjKGCYve7r/KnO0
lAXrs/b1aFPPzhLSVHHPlrRn4XTi/GpCSYpeywqVpfajgbeHYO
YgShkSBctYsGbah+pbzh3oGRaOZAE5XO2qTwdD0Q==}
URLs
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Adobe\Updater6\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\DisconnectRemove.xsl 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files (x86)\MSBuild\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OEMPRINT.CAT 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CRT 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityReport.Dotx 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\el.pak 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\ConvertEdit.jfif 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5A.BDR 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18194_.WMF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_es.dub 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\Windows Journal\Templates\Graph.jtp 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\UnlockBlock.easmx 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.LTS 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\3FD3C1-Readme.txt 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 696 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe Token: SeImpersonatePrivilege 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe Token: SeBackupPrivilege 5916 vssvc.exe Token: SeRestorePrivilege 5916 vssvc.exe Token: SeAuditPrivilege 5916 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 696 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 27 PID 1688 wrote to memory of 696 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 27 PID 1688 wrote to memory of 696 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 27 PID 1688 wrote to memory of 696 1688 220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe"C:\Users\Admin\AppData\Local\Temp\220545603f7fce827c2574d7bbb19298216ea065e650a0694aaf6592a88a2652.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:696
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5916