Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-03-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
Resource
win10v2004-en-20220113
General
-
Target
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe
-
Size
69KB
-
MD5
3229e2489dde524195cf0ccbbf5f7d40
-
SHA1
a257fc0b117fb9e0a6df128213e11de5cee21129
-
SHA256
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d
-
SHA512
d719fcf974a9304154daf95f0c80805b9a720a1db1289aa4fd189494cb0c29820a1b999d26fb38378d3a47602b26ff8375189ed9586a9c94c19fae0f4e0c650e
Malware Config
Extracted
C:\Program Files\F38EB9-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exedescription ioc process File renamed C:\Users\Admin\Pictures\RepairDeny.crw => C:\Users\Admin\Pictures\RepairDeny.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\FormatNew.png => C:\Users\Admin\Pictures\FormatNew.png.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\PushCopy.png => C:\Users\Admin\Pictures\PushCopy.png.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\EditDisable.crw => C:\Users\Admin\Pictures\EditDisable.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\LimitPush.crw => C:\Users\Admin\Pictures\LimitPush.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\SwitchSubmit.crw => C:\Users\Admin\Pictures\SwitchSubmit.crw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\BackupUnprotect.raw => C:\Users\Admin\Pictures\BackupUnprotect.raw.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File renamed C:\Users\Admin\Pictures\ExportWrite.png => C:\Users\Admin\Pictures\ExportWrite.png.f38eb9 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\mso.acl 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\th.pak.DATA 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\offlineStrings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-white.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-200.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1346565761-3498240568-4147300184-1000-MergedResources-0.pri 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_Cancel_SM.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-200.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-32.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\F38EB9-Readme.txt 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2992 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 8400 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exepid process 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe Token: SeImpersonatePrivilege 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe Token: SeBackupPrivilege 368 vssvc.exe Token: SeRestorePrivilege 368 vssvc.exe Token: SeAuditPrivilege 368 vssvc.exe Token: SeDebugPrivilege 8400 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.execmd.exedescription pid process target process PID 2560 wrote to memory of 2992 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe vssadmin.exe PID 2560 wrote to memory of 2992 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe vssadmin.exe PID 2560 wrote to memory of 9512 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe notepad.exe PID 2560 wrote to memory of 9512 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe notepad.exe PID 2560 wrote to memory of 9512 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe notepad.exe PID 2560 wrote to memory of 9112 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe cmd.exe PID 2560 wrote to memory of 9112 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe cmd.exe PID 2560 wrote to memory of 9112 2560 488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe cmd.exe PID 9112 wrote to memory of 8400 9112 cmd.exe taskkill.exe PID 9112 wrote to memory of 8400 9112 cmd.exe taskkill.exe PID 9112 wrote to memory of 8400 9112 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe"C:\Users\Admin\AppData\Local\Temp\488261e1e0793e6830f68c572db7e229af1d9403bbc8e61b9da707b1b63a137d.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F38EB9-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25D0.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 25603⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\25D0.tmp.batMD5
693bcf9c033752aef9e00f9c719a4d5c
SHA10e8e6f47b6332d03dba2e75919969b86e12119dd
SHA256bea04c8353039959ffc4b697317deb9ef4d3a9e8042efa1a1d5ebd4e71156e94
SHA512cc4628ac1d2a6fb9399c320185683f7a381bce949969279a30863ee163c8cafb96833e4b9a469aeca326536af8ab1f96fbb0db468a911ce14a3282f7e7b61e88
-
C:\Users\Admin\Desktop\F38EB9-Readme.txtMD5
864217479e60795e392c540d6edbaa1c
SHA1585c77a52c2adc58db91aeaf9146982fad124c48
SHA256d0582b246ce87dc6f92ec42545e90e9b89ade500d64fd1c1c5d517adacd3f168
SHA512650b7151dba777f0bb59fc2f00553fa97752e44e2caaba7dd66ab51ec98df4544d59ad5ff8663fdf9219c95def62e4e72dc1632e79595f93bfed9c4d50731328