netwalker | 2efb62748a9a6b808dcc9c6303ff8c4567a2ee20a56022f8ecbe3b6739fb0a40

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d8ebde851e42622e0b6e60ec831e03a.exe
Size

1006KB
MD5

2d8ebde851e42622e0b6e60ec831e03a
SHA1

e77962926002b4603017901c097a54e8f83b6da9
SHA256

2efb62748a9a6b808dcc9c6303ff8c4567a2ee20a56022f8ecbe3b6739fb0a40
SHA512

39392647c1f82bf417986961a4b62a7843977f9aa641fcb10a4e4a943ab5b617d6c20bad4c14664a951528979fe8ea6f7b58b932d9d45c5b883dea6a65b05a86
SSDEEP

12288:hSCbvRebC9TrasaYadqjRaQaofKkzaxa3+:oev/f3h7+QWr

Score

10^/10

netwalker ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\3CD829-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .3cd829 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_3cd829: zCUFR5I2NV1EwN/M4sWSoXoYsbQv0hRua4bZN+ayncyMXJHCnd Siq8n5yA1lhvSpVdETET6n/guAXU67TMw2lmQ2WuhbyWJT6kpz tJrnCQeAwlxrcYD9ZyFOvmgdkqQDAsers5MFeS7HS54D1cFlrQ 1F/9QrXd0zqC4W2BgQPwtcP640yojXoEYf/JsNGMCt+5ZWfJa0 9XQfvtTgFOtj/VF1OqAMfw2FbDMdru07ajrSXNsl6ienshv8bg DBgDXdIQWOr3f47eLbk20DBO3AAEVhRhhobixdbQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7450) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
4492	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\3CD829-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN058.XML	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid_over.gif	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01179_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\3CD829-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07761_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02950_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3CD829-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\3CD829-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02373_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Custom.propdesc	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\3CD829-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00255_.WMF	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\3CD829-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS	2d8ebde851e42622e0b6e60ec831e03a.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1800	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2972	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.exe

pid	Process
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe
2072	2d8ebde851e42622e0b6e60ec831e03a.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.exevssvc.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	2072	2d8ebde851e42622e0b6e60ec831e03a.exe
Token: SeImpersonatePrivilege	2072	2d8ebde851e42622e0b6e60ec831e03a.exe
Token: SeBackupPrivilege	7992	vssvc.exe
Token: SeRestorePrivilege	7992	vssvc.exe
Token: SeAuditPrivilege	7992	vssvc.exe
Token: SeDebugPrivilege	2972	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.execmd.exe

description	pid	Process	procid_target
PID 2072 wrote to memory of 1800	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	28
PID 2072 wrote to memory of 1800	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	28
PID 2072 wrote to memory of 1800	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	28
PID 2072 wrote to memory of 1800	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	28
PID 2072 wrote to memory of 2116	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	33
PID 2072 wrote to memory of 2116	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	33
PID 2072 wrote to memory of 2116	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	33
PID 2072 wrote to memory of 2116	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	33
PID 2072 wrote to memory of 4492	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	34
PID 2072 wrote to memory of 4492	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	34
PID 2072 wrote to memory of 4492	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	34
PID 2072 wrote to memory of 4492	2072	2d8ebde851e42622e0b6e60ec831e03a.exe	34
PID 4492 wrote to memory of 2972	4492	cmd.exe	36
PID 4492 wrote to memory of 2972	4492	cmd.exe	36
PID 4492 wrote to memory of 2972	4492	cmd.exe	36
PID 4492 wrote to memory of 2972	4492	cmd.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2d8ebde851e42622e0b6e60ec831e03a.exe
"C:\Users\Admin\AppData\Local\Temp\2d8ebde851e42622e0b6e60ec831e03a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1800
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\3CD829-Readme.txt"
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\7677.tmp.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 2072
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\3CD829-Readme.txt

Filesize
1KB

MD5
7f601554ca30a95ee7c5eb5e710c857c

SHA1
17e8062ce0de104cc9d146153bd46db841a0fea5

SHA256
8130cb14af1fa87bde472c952d6591217cd45c8c43c31a181532fe5eb03081fb

SHA512
0572dc00c4364821ebe1ec6ebbff35212db6584e760a164623ecab15b769c5c42e8f31a6b326173250282f702cdb13cd9459acac86736db28b775c0c85d6de3e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.3cd829

Filesize
229KB

MD5
332176b57d3a79b0bce5e80a2690a9c2

SHA1
ba8f9cd54468e295a0f59a50b022d972aea79a21

SHA256
e1c2765030dbaa699bf760f7d12c953e9533851f24a2ce7e4b2a1ce735d952f9

SHA512
c1e87b2d6c534b899ba1b20d79b61d22a7eccad5e2fb098362c379e2b46acfbdb818e4e115ff64d3f0688e3fae70a1fc3e1f2951b7b11d13680a1f650a257cd6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.3cd829

Filesize
201KB

MD5
1b55bb394921ad011e67874e83dd1548

SHA1
717148d655896e175f478d3bab822e65c9055b39

SHA256
30213486fcd5a044c6b0378e599c62d13fc75cad67dbca257833380ba97162f0

SHA512
ae65bafb1a10a8a81987215e32733924b081897c6e212784bea3f3033339b3bed71a986d41f67a74c97abc2edf98800056be6dacc031319d6a230e8cc6f6c1fc

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.3cd829

Filesize
491KB

MD5
1f7ba7b749bf507ea5b3d1e3c3fd4616

SHA1
4f16d9d493cd093c8b41acadeba6a3c7b3812c20

SHA256
ecb421a8ade0af5d9e4a1f1853744c21cf358faf4e1f6f74408ff6c9dca9dcc0

SHA512
42f5b6f42cac52887d57b30e109461876eeacc1cedc462581c1e9dc9f0e9aef0a69827199a7de12724b1065ee05de9e05f467ca3398f301f5c1908f943140eb1

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.3cd829

Filesize
14KB

MD5
2a73758e30a0c3b773068667c72fd9e4

SHA1
547edbc8d171fc6eb573e93d7b9237e2d801779e

SHA256
4e43fbd28848993b74df8e7dee1421224372f1ee6a5901ceeb5b5ba1181cad61

SHA512
e12d17268eca075277416cb55222854cd60e7880b4520e647ce8006ddef5a060180bd09d04e6528b40a094f08ff26ffbc447fc3b3dd607d8849c3aa7838718c6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.3cd829

Filesize
864KB

MD5
fdf43ea5fce08af32e51744576642cf7

SHA1
fab68a62487c253984d847eaac113f560f5ef488

SHA256
e4a17e186fb52c30870eca8ec441a3e234ae895cbe47b760eb2335d0be86380c

SHA512
58d96d03d0f0a28a89a453035def5b8150d9549aae55c3e9385b1ce3e6ab92406aa0538a1e533f6cdeed02a3184bb9598a78ebccb17c07933f0bea2b1223b1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7677.tmp.bat

Filesize
109B

MD5
ae4adca168915252d31cfbf7dea92286

SHA1
767bb1aa6afcffab00b6dd118447a9c5b3260870

SHA256
10faa31e9ce6b4b2bcd2ac53705e552edc32d8d611e283bc863bdd1c39ccbde7

SHA512
30d4e383f320cfbb20713840f6da842aed07e0956bed174df1ec273609185b34952f5f534e583dce972f86e9826c410aa341f132040c4b8db71a40a9c733e895

Download Submit