Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-03-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Resource
win10v2004-en-20220113
General
-
Target
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
-
Size
69KB
-
MD5
3229e2489dde524195cf0ccbbf5f7d40
-
SHA1
a257fc0b117fb9e0a6df128213e11de5cee21129
-
SHA256
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d
-
SHA512
d719fcf974a9304154daf95f0c80805b9a720a1db1289aa4fd189494cb0c29820a1b999d26fb38378d3a47602b26ff8375189ed9586a9c94c19fae0f4e0c650e
Malware Config
Extracted
C:\Program Files\F38EB9-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RepairDeny.crw => C:\Users\Admin\Pictures\RepairDeny.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\FormatNew.png => C:\Users\Admin\Pictures\FormatNew.png.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\PushCopy.png => C:\Users\Admin\Pictures\PushCopy.png.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\EditDisable.crw => C:\Users\Admin\Pictures\EditDisable.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\LimitPush.crw => C:\Users\Admin\Pictures\LimitPush.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\SwitchSubmit.crw => C:\Users\Admin\Pictures\SwitchSubmit.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\BackupUnprotect.raw => C:\Users\Admin\Pictures\BackupUnprotect.raw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\ExportWrite.png => C:\Users\Admin\Pictures\ExportWrite.png.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\mso.acl 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\th.pak.DATA 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\offlineStrings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-white.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-200.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1346565761-3498240568-4147300184-1000-MergedResources-0.pri 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_Cancel_SM.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-200.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2992 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 8400 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe Token: SeImpersonatePrivilege 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe Token: SeBackupPrivilege 368 vssvc.exe Token: SeRestorePrivilege 368 vssvc.exe Token: SeAuditPrivilege 368 vssvc.exe Token: SeDebugPrivilege 8400 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2992 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 79 PID 2560 wrote to memory of 2992 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 79 PID 2560 wrote to memory of 9512 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 95 PID 2560 wrote to memory of 9512 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 95 PID 2560 wrote to memory of 9512 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 95 PID 2560 wrote to memory of 9112 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 96 PID 2560 wrote to memory of 9112 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 96 PID 2560 wrote to memory of 9112 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 96 PID 9112 wrote to memory of 8400 9112 cmd.exe 98 PID 9112 wrote to memory of 8400 9112 cmd.exe 98 PID 9112 wrote to memory of 8400 9112 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe"C:\Users\Admin\AppData\Local\Temp\488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2992
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F38EB9-Readme.txt"2⤵PID:9512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25D0.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:9112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 25603⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8400
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:368