Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 16:18
Behavioral task
behavioral1
Sample
2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe
Resource
win10v2004-20230220-en
General
-
Target
2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe
-
Size
69KB
-
MD5
80372de850597bd9e7e021a94f13f0a1
-
SHA1
037db820c8dee94ae25a439b758a2b89f527cbb4
-
SHA256
2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8
-
SHA512
f43db3569ac60d6ed55b9a3a24dcb459e14b0bd944e9405a8cb2bfb686eaeff31c82ffcd6c477d6a6affe9014ae8ed7d8af174e8ceebbcf00b64ad293901a77a
-
SSDEEP
1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+Pd71vb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3F7t
Malware Config
Extracted
C:\ProgramData\Microsoft\MF\6434F2-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RenameMove.tiff 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\PopUnlock.tif => C:\Users\Admin\Pictures\PopUnlock.tif.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\OptimizeUndo.raw => C:\Users\Admin\Pictures\OptimizeUndo.raw.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\RestartRedo.tiff => C:\Users\Admin\Pictures\RestartRedo.tiff.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Users\Admin\Pictures\EnableCompress.tiff 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\SplitOpen.crw => C:\Users\Admin\Pictures\SplitOpen.crw.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\InstallAdd.png => C:\Users\Admin\Pictures\InstallAdd.png.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\RedoRequest.crw => C:\Users\Admin\Pictures\RedoRequest.crw.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\InitializeWait.tif => C:\Users\Admin\Pictures\InitializeWait.tif.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\RestoreSync.png => C:\Users\Admin\Pictures\RestoreSync.png.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\ApproveTest.png => C:\Users\Admin\Pictures\ApproveTest.png.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\UnprotectUninstall.tif => C:\Users\Admin\Pictures\UnprotectUninstall.tif.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\RenameMove.tiff => C:\Users\Admin\Pictures\RenameMove.tiff.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File renamed C:\Users\Admin\Pictures\EnableCompress.tiff => C:\Users\Admin\Pictures\EnableCompress.tiff.6434f2 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Users\Admin\Pictures\RestartRedo.tiff 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Analytics 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\ui-strings.js 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_ms.json 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-100.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\6434F2-Readme.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-125.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File created C:\Program Files\7-Zip\6434F2-Readme.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-100.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-200.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\6434F2-Readme.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-lightunplated.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VariableFrameRateVideoPlayer.xbf 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\6434F2-Readme.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48_altform-unplated.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-200.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-125.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-fullcolor.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\6434F2-Readme.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-150.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\6434F2-Readme.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-36_contrast-white.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-200.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\tr.pak 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48_altform-unplated.png 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\index.windows.bundle.meta 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5044 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 7152 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe Token: SeImpersonatePrivilege 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe Token: SeBackupPrivilege 4804 vssvc.exe Token: SeRestorePrivilege 4804 vssvc.exe Token: SeAuditPrivilege 4804 vssvc.exe Token: SeDebugPrivilege 7152 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4868 wrote to memory of 5044 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 86 PID 4868 wrote to memory of 5044 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 86 PID 4868 wrote to memory of 1372 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 99 PID 4868 wrote to memory of 1372 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 99 PID 4868 wrote to memory of 1372 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 99 PID 4868 wrote to memory of 13420 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 100 PID 4868 wrote to memory of 13420 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 100 PID 4868 wrote to memory of 13420 4868 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe 100 PID 13420 wrote to memory of 7152 13420 cmd.exe 102 PID 13420 wrote to memory of 7152 13420 cmd.exe 102 PID 13420 wrote to memory of 7152 13420 cmd.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe"C:\Users\Admin\AppData\Local\Temp\2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5044
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\6434F2-Readme.txt"2⤵PID:1372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\632E.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:13420 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 48683⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7152
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
Filesize3.3MB
MD5f5e0d666ac91cee75c0885ce022714cb
SHA1005625b4ba8082b9814dae7fa8a39b10f0d21454
SHA25600b3dff290def1ff1aa513fd6b4d684f4ef93251bc4a63808586f476d2aba463
SHA512a48e40c5c9adced0581c45deb9e52efac2a704681612270f41ea4abcd840c37d8fdef69cfa3ff5b4e5b2ac82e92b4903a503d2e99c46d4e6e13107b59a94293e
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\8F275DA2-5DF1-44E3-B319-427E26356EC8\en-us.16\MasterDescriptor.en-us.xml.6434f2
Filesize28KB
MD59ef09d690cf42c9523e013e801977a98
SHA16f6e2389b96e1ea6b2b7501119337473abd25cf1
SHA256451456a9bc1efac835f17ac09e868fd477d4f6b5de46f6c2f3f6ea7541f585fb
SHA512f9be6d4868dfd3cb5d35fb205dc5475ca9ee03f90f4b4b1d40b3ad6080f51cae7ffc5a765bb9159904d444137d97729231964c8390a9bc606a96c6111063caaa
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\8F275DA2-5DF1-44E3-B319-427E26356EC8\en-us.16\stream.x64.en-us.man.dat.6434f2
Filesize623KB
MD544aeac696bff2e1c09f5c34d5459331a
SHA1631c3dcf3f6be2d1d5151ab75bbd68a05783e8f4
SHA25602d87477b89d013878477982d6ee39609ff7e9f9ea96f10e26ce75c9c4202ddc
SHA5124848e135f8e285c9156300537a1322e652e44c26ca394ca6736a77236cae68a6a295ee9ebb79e71009b96136c38fb58e00433d808eb2e80258564109cc22667d
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.6434f2
Filesize93KB
MD5de38630350e6a79671d090f02621336c
SHA183c763b48fe408400110cbccedda5171cb8e1bf5
SHA25697e71b53479992953a1f865127ba21181be7273f6dc5f40e4ef6eb51b8758809
SHA512ab685ff6404313b394b88272addbb65814b57cbd9451d20438799305e76366c906654381aa14832306e8188cc997fbc3b31aa76b6a7a0fe1788dd9f979109239
-
Filesize
1.1MB
MD54589cbaedc052d3962c532d8f7347439
SHA188af2be699f56cb260164eb21d0d530b7c81328d
SHA2568f32a72f8f4c6cf533c73cdce4a549c8fa5e19c575c2535b3cb69d64bc1fc099
SHA51288006fd758d3dc7b61175c4e8b723f57c3a3548f4e37f14af8d86fda5e94c8510078e638f959ca8dcb377332d3105f30e1a664082f416628c1ab0b5538c5dc87
-
Filesize
1KB
MD5385561d95ef07aa02bbe9362a491d390
SHA12f3003e0c07f33cee1657f4a4465c64acc4496ac
SHA256114fb026887196148134b6fc83d42865510cb47c5735a9402b28a20bde48b67e
SHA512203175903af4de7c0c47af16353f3c9c11b0af9b0096b516e9daebc3eb4d9398a9bf5291ec3be9fdede1fc1f41633bd514f452e8e794ab01f5be6ed3430cba3a
-
Filesize
5KB
MD51c90668bb41b965d307ca4164c5d4412
SHA18348b3100ecbfc526ad4fa2543056677d8376cd8
SHA25661313bd26441737991e79117a62bb8c605c2125e59a3e93db519d4e04ea3f8c7
SHA51283e16bcc31ba03412a7435e55bb00d2118516986039f7585a81a2c8ddc678ff14ba2d8fe1e84c1eb0cca3413c84fe84c37265de4f4a1a361eb30f873208b4384
-
Filesize
141B
MD5c02faa9c40262380ac5e62b5d2672086
SHA1c11ea7166be18baa4fd395cfc6ab308f1439354d
SHA2561f7dc90dd1c51e480547b2c6abd82f4133457b5fa9903f7bc5b839e2504632a9
SHA512243d9526d91d0fd634635006947139f90321145835f19ac1789b5b1bb4a514a204d1eb13e04646e6bed3fd303592c34e9c83416b8e95a8b4f07918a0a217aacf
-
Filesize
1KB
MD5385561d95ef07aa02bbe9362a491d390
SHA12f3003e0c07f33cee1657f4a4465c64acc4496ac
SHA256114fb026887196148134b6fc83d42865510cb47c5735a9402b28a20bde48b67e
SHA512203175903af4de7c0c47af16353f3c9c11b0af9b0096b516e9daebc3eb4d9398a9bf5291ec3be9fdede1fc1f41633bd514f452e8e794ab01f5be6ed3430cba3a