netwalker | 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d

General

Target

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Size

69KB
MD5

3229e2489dde524195cf0ccbbf5f7d40
SHA1

a257fc0b117fb9e0a6df128213e11de5cee21129
SHA256

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d
SHA512

d719fcf974a9304154daf95f0c80805b9a720a1db1289aa4fd189494cb0c29820a1b999d26fb38378d3a47602b26ff8375189ed9586a9c94c19fae0f4e0c650e

Score

10^/10

netwalker ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\F38EB9-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f38eb9 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f38eb9: oZtWfIFUR0jhYgZRUnLzRlO1tQjGyzBfmWXHNc+R4AQ+UUXDOM Y1lD9u/+GVhHc3IC6cyk46uYYchaOM7JqSyODcGsmn5iZrgw2l dFR5kzj7FMM7uI3ZaB0CxswjhpOV4CbnJs3GiuXQSUR+snIb5/ IPKOc8VJ38FTDRRGY7izU6v6h8XZrmJ8o2K7/HOZnva3rkVzq1 Fxv9m42nJNZgbZVSdCFJOqntZz6kfOu0yoAfFRSiULRT8xL6jb LrMNIALbXHmtQumHAw18fLkgJX06YcZ0LU/WCvPg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RepairDeny.crw => C:\Users\Admin\Pictures\RepairDeny.crw.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\FormatNew.png => C:\Users\Admin\Pictures\FormatNew.png.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\PushCopy.png => C:\Users\Admin\Pictures\PushCopy.png.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\EditDisable.crw => C:\Users\Admin\Pictures\EditDisable.crw.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\LimitPush.crw => C:\Users\Admin\Pictures\LimitPush.crw.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\SwitchSubmit.crw => C:\Users\Admin\Pictures\SwitchSubmit.crw.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\BackupUnprotect.raw => C:\Users\Admin\Pictures\BackupUnprotect.raw.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File renamed	C:\Users\Admin\Pictures\ExportWrite.png => C:\Users\Admin\Pictures\ExportWrite.png.f38eb9	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\mso.acl	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\F38EB9-Readme.txt	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\th.pak.DATA	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\F38EB9-Readme.txt	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\offlineStrings.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-white.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-200.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\F38EB9-Readme.txt	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1346565761-3498240568-4147300184-1000-MergedResources-0.pri	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_Cancel_SM.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-200.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-32.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\F38EB9-Readme.txt	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2992 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

8400 taskkill.exe

pid	process
2992	vssadmin.exe

pid	process
8400	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe

pid	process
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Token: SeImpersonatePrivilege	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Token: SeBackupPrivilege	368	vssvc.exe
Token: SeRestorePrivilege	368	vssvc.exe
Token: SeAuditPrivilege	368	vssvc.exe
Token: SeDebugPrivilege	8400	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.execmd.exe

description	pid	process	target process
PID 2560 wrote to memory of 2992	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	vssadmin.exe
PID 2560 wrote to memory of 2992	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	vssadmin.exe
PID 2560 wrote to memory of 9512	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	notepad.exe
PID 2560 wrote to memory of 9512	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	notepad.exe
PID 2560 wrote to memory of 9512	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	notepad.exe
PID 2560 wrote to memory of 9112	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	cmd.exe
PID 2560 wrote to memory of 9112	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	cmd.exe
PID 2560 wrote to memory of 9112	2560	488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe	cmd.exe
PID 9112 wrote to memory of 8400	9112	cmd.exe	taskkill.exe
PID 9112 wrote to memory of 8400	9112	cmd.exe	taskkill.exe
PID 9112 wrote to memory of 8400	9112	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
"C:\Users\Admin\AppData\Local\Temp\488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2992

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F38EB9-Readme.txt"
2⤵
PID:9512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25D0.tmp.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:9112

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2560
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25D0.tmp.bat
MD5
693bcf9c033752aef9e00f9c719a4d5c

SHA1
0e8e6f47b6332d03dba2e75919969b86e12119dd

SHA256
bea04c8353039959ffc4b697317deb9ef4d3a9e8042efa1a1d5ebd4e71156e94

SHA512
cc4628ac1d2a6fb9399c320185683f7a381bce949969279a30863ee163c8cafb96833e4b9a469aeca326536af8ab1f96fbb0db468a911ce14a3282f7e7b61e88

Download Submit
C:\Users\Admin\Desktop\F38EB9-Readme.txt
MD5
864217479e60795e392c540d6edbaa1c

SHA1
585c77a52c2adc58db91aeaf9146982fad124c48

SHA256
d0582b246ce87dc6f92ec42545e90e9b89ade500d64fd1c1c5d517adacd3f168

SHA512
650b7151dba777f0bb59fc2f00553fa97752e44e2caaba7dd66ab51ec98df4544d59ad5ff8663fdf9219c95def62e4e72dc1632e79595f93bfed9c4d50731328

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads