netwalker | 7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63

General

Target

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
Size

35KB
MD5

e90699a13fec55e39e444b3f5dfa98ce
SHA1

76283d6c1eea982096fa168b138772094c812474
SHA256

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63
SHA512

7b721c6b001c9b0c23e86e3f3a53b13cc08985f09b579e7230af695f71feb1f7b6cb348456b24cb102296da84584a8472c39417fc3275566af016ae656e2ed01
SSDEEP

768:18kq7NCuaw+84Q4h99vP8jqgbMidbhvJU9nbcuyD7UI:18kq1aww5EjIidbhhU9nouy8

Score

10^/10

netwalker ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\76D6E1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .76d6e1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_76d6e1: 8NsLVepOAg3CWhQGKwvp8MUIMlpjwxFE4PoVA92FcKqgIbmE/v ljaw6w/Q8cu9ztZS7sFguf1XWZ+ojbhq72L1GwyaE/BPVtTAuG pGXZEtsbQsIjDbPseRXOXNL6rqjQy61OJHuoer/KQofas8FFR6 XY32/LeH1osw8XH1ZusookwLiHTx45m27kymBVAXQyFVg0dwPZ XZ7ocCUDrJY5StJdg7DBcfgXSA4oGzaf+epVVIQoIKxbpM3R6c ubFkX4U/vVcRN1yOToFLro2BRavcUxZLp/462asw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Detected Netwalker Ransomware 2 IoCs

Detected unpacked Netwalker executable.

Processes:

resource	yara_rule
behavioral2/memory/4856-134-0x0000000000160000-0x0000000000179000-memory.dmp	netwalker_ransomware
behavioral2/memory/4856-232-0x0000000000160000-0x0000000000179000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OpenJoin.raw => C:\Users\Admin\Pictures\OpenJoin.raw.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File renamed	C:\Users\Admin\Pictures\UnlockRestore.tiff => C:\Users\Admin\Pictures\UnlockRestore.tiff.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File renamed	C:\Users\Admin\Pictures\OutGroup.raw => C:\Users\Admin\Pictures\OutGroup.raw.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File renamed	C:\Users\Admin\Pictures\SaveStop.tif => C:\Users\Admin\Pictures\SaveStop.tif.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File renamed	C:\Users\Admin\Pictures\SaveUnpublish.tiff => C:\Users\Admin\Pictures\SaveUnpublish.tiff.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockRestore.tiff	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File renamed	C:\Users\Admin\Pictures\UninstallPush.raw => C:\Users\Admin\Pictures\UninstallPush.raw.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File renamed	C:\Users\Admin\Pictures\ResizeGet.tif => C:\Users\Admin\Pictures\ResizeGet.tif.76d6e1	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Users\Admin\Pictures\SaveUnpublish.tiff	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4856-132-0x0000000000160000-0x0000000000179000-memory.dmp	upx
behavioral2/memory/4856-134-0x0000000000160000-0x0000000000179000-memory.dmp	upx
behavioral2/memory/4856-232-0x0000000000160000-0x0000000000179000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-150.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\172.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\resources.pri	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\nexturl.ort.DATA	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-100.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalMedTile.scale-200.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-black.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-400.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4_thumb.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-white.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-150.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-48.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\82.jpg	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxManifest.xml	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-125.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\6px.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-125.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256_altform-unplated.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\ui-strings.js	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-100.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-150.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\76D6E1-Readme.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4260 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

9132 taskkill.exe

pid	process
4260	vssadmin.exe

pid	process
9132	taskkill.exe

Modifies registry class 30 IoCs

Processes:

SearchApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2722"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2230"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "6697"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2230"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2722"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2230"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6697"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2722"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6697"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe

pid	process
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
Token: SeImpersonatePrivilege	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
Token: SeBackupPrivilege	1396	vssvc.exe
Token: SeRestorePrivilege	1396	vssvc.exe
Token: SeAuditPrivilege	1396	vssvc.exe
Token: SeDebugPrivilege	9132	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchApp.exe

pid process

1892 SearchApp.exe

pid	process
1892	SearchApp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.execmd.exe

description	pid	process	target process
PID 4856 wrote to memory of 4260	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	vssadmin.exe
PID 4856 wrote to memory of 4260	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	vssadmin.exe
PID 4856 wrote to memory of 8636	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	notepad.exe
PID 4856 wrote to memory of 8636	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	notepad.exe
PID 4856 wrote to memory of 8636	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	notepad.exe
PID 4856 wrote to memory of 3616	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	cmd.exe
PID 4856 wrote to memory of 3616	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	cmd.exe
PID 4856 wrote to memory of 3616	4856	7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe	cmd.exe
PID 3616 wrote to memory of 9132	3616	cmd.exe	taskkill.exe
PID 3616 wrote to memory of 9132	3616	cmd.exe	taskkill.exe
PID 3616 wrote to memory of 9132	3616	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe
"C:\Users\Admin\AppData\Local\Temp\7bad3bfde268d71c7dfd13c6d62dc607427912e4106cb4247ef26f4c822fab63.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4260

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\76D6E1-Readme.txt"
2⤵
PID:8636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BDFC.tmp.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4856
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BDFC.tmp.bat
Filesize
141B

MD5
40da1f1af6c171f3fd1e19cda5053d68

SHA1
0e57401d24a9353bad64070b945a12df7654c942

SHA256
1aaed7c013242f11698f15658889abcc3916f7bf39376ce2730675397c01ae3f

SHA512
c8e503bf2fd89670f7ea7833fb3d77d8ca279916d8cce13de319af45d4ca8c27e217d77007baee4f647f72737fd652d3122ef574a80bcea261da46b4b14b8083

Download Submit
C:\Users\Admin\Desktop\76D6E1-Readme.txt
Filesize
1KB

MD5
31f8078a5541626f44b3d568e3f4f07d

SHA1
597711df4f2cc4d66379a929956a6987114a6445

SHA256
42f71755c95c872cb8c25ffff1f33f0f764efe0ab58e6664f43c659ba5f42d43

SHA512
9beb2d5b8eac95d2fad5f5ac46b319a529e9cc121c7bb22414c534203a4c98af62a2755d47cfdb0134bc607485e772c7c279493ea949115dc072a4f85d2607a0

Download Submit
memory/1892-224-0x000001C980009000-0x000001C98000D000-memory.dmp

Filesize
16KB

Download
memory/1892-227-0x000001C980009000-0x000001C98000D000-memory.dmp

Filesize
16KB

Download
memory/1892-147-0x000001D1F8FE0000-0x000001D1F9000000-memory.dmp

Filesize
128KB

Download
memory/1892-151-0x000001D1FA820000-0x000001D1FA920000-memory.dmp

Filesize
1024KB

Download
memory/1892-153-0x000001D1F7BA0000-0x000001D1F7BC0000-memory.dmp

Filesize
128KB

Download
memory/1892-159-0x000001D1FA760000-0x000001D1FA780000-memory.dmp

Filesize
128KB

Download
memory/1892-223-0x000001D1F8360000-0x000001D1F8380000-memory.dmp

Filesize
128KB

Download
memory/1892-225-0x000001C980009000-0x000001C98000D000-memory.dmp

Filesize
16KB

Download
memory/1892-228-0x000001C980009000-0x000001C98000D000-memory.dmp

Filesize
16KB

Download
memory/1892-144-0x000001D1F6890000-0x000001D1F6898000-memory.dmp

Filesize
32KB

Download
memory/1892-226-0x000001C980009000-0x000001C98000D000-memory.dmp

Filesize
16KB

Download
memory/3616-231-0x0000000000000000-mapping.dmp

Download
memory/4260-133-0x0000000000000000-mapping.dmp

Download
memory/4856-132-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/4856-232-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/4856-134-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/8636-230-0x0000000000000000-mapping.dmp

Download
memory/9132-234-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads