netwalker | 2efb62748a9a6b808dcc9c6303ff8c4567a2ee20a56022f8ecbe3b6739fb0a40

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d8ebde851e42622e0b6e60ec831e03a.exe
Size

1006KB
MD5

2d8ebde851e42622e0b6e60ec831e03a
SHA1

e77962926002b4603017901c097a54e8f83b6da9
SHA256

2efb62748a9a6b808dcc9c6303ff8c4567a2ee20a56022f8ecbe3b6739fb0a40
SHA512

39392647c1f82bf417986961a4b62a7843977f9aa641fcb10a4e4a943ab5b617d6c20bad4c14664a951528979fe8ea6f7b58b932d9d45c5b883dea6a65b05a86
SSDEEP

12288:hSCbvRebC9TrasaYadqjRaQaofKkzaxa3+:oev/f3h7+QWr

Score

10^/10

netwalker ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\984466-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .984466 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_984466: 4zWYdB3/V5lmX+HhdE+BVji/5aIhjmpv/1zTDs+XOf6s832Piu g3yMRt+IL78NHftIuOTT0OMSY/YnmU4VMqn8ftQYzihvAE6kpz tDMthmB83Ciq/CxicBp4VFjlmRLDBqFievZ+6OnQQG0PCHfKKk 2ytNIU/ADBjo1LMtbpyRExfzCi/VZ9CjOYocSuSV6znTBZjnob n+JID68cc4AkoEMLP3/4B2B1MM4Rr/ir9brmA2ZqPkYA7kfMvE DC78hzfCw6GXU1/1h1JStn7NAIVzM1HP+LjfYRsQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (6596) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\182.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-black.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ui-strings.js	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main-selector.css	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxManifest.xml	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-200.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-100.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-200.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-200.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-white.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-200.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Large.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\164.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-400.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker31.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\LockUnregister.gif	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-200.jpg	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p3.mp4	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-100.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-400.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\984466-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELM	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-2x.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\HoloLens_SurfaceReconstruction.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-125.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\984466-Readme.txt	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-200.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MedTile.scale-100.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-100.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	2d8ebde851e42622e0b6e60ec831e03a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SpeedSelectionSlider.xbf	2d8ebde851e42622e0b6e60ec831e03a.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1676	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
12008	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.exe

pid	Process
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe
1268	2d8ebde851e42622e0b6e60ec831e03a.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.exevssvc.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	1268	2d8ebde851e42622e0b6e60ec831e03a.exe
Token: SeImpersonatePrivilege	1268	2d8ebde851e42622e0b6e60ec831e03a.exe
Token: SeBackupPrivilege	1764	vssvc.exe
Token: SeRestorePrivilege	1764	vssvc.exe
Token: SeAuditPrivilege	1764	vssvc.exe
Token: SeDebugPrivilege	12008	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2d8ebde851e42622e0b6e60ec831e03a.execmd.exe

description	pid	Process	procid_target
PID 1268 wrote to memory of 1676	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	85
PID 1268 wrote to memory of 1676	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	85
PID 1268 wrote to memory of 9056	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	92
PID 1268 wrote to memory of 9056	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	92
PID 1268 wrote to memory of 9056	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	92
PID 1268 wrote to memory of 9772	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	93
PID 1268 wrote to memory of 9772	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	93
PID 1268 wrote to memory of 9772	1268	2d8ebde851e42622e0b6e60ec831e03a.exe	93
PID 9772 wrote to memory of 12008	9772	cmd.exe	95
PID 9772 wrote to memory of 12008	9772	cmd.exe	95
PID 9772 wrote to memory of 12008	9772	cmd.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2d8ebde851e42622e0b6e60ec831e03a.exe
"C:\Users\Admin\AppData\Local\Temp\2d8ebde851e42622e0b6e60ec831e03a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1676
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\984466-Readme.txt"
  2⤵
  PID:9056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3445.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 1268
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:12008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\AppXManifest.xml.984466

Filesize
3.3MB

MD5
4f1c59a9d85ce1124cd541780733711b

SHA1
940ead6b58e0541c86620779d7fff2eb627dc51a

SHA256
ca028df028d2b1b5162ab8127ee72d2d973ceac170ded7cb71338f720dd83167

SHA512
7f6abaa36adc18d412a79f29f146d31a028d92f26c20052a08e5b5cb65a65365cc42e445a342c0d859c0e1e7c7ffb255b0ae8b897dbfabf8c1794e38bcf631e0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.984466

Filesize
910B

MD5
ed989712f824c347b3b1c30da175dd9f

SHA1
7473cd255959bfd04ecd7a22be2f18259c42c58c

SHA256
cbdef7d0113669cc90f73e87583ea9b425e39e7a09f63320ba87e62f9850e657

SHA512
f4cd78ac808e0df8a111ff15c532e3649f1badf6835652beb4f2787d3f8e90c163a03466c38eb4cfbcfd95631c22840c8dec8e8327990701182688417d48c832

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.984466

Filesize
93KB

MD5
47f5283871ab381b0d87e6a9826ec1be

SHA1
cc9abf3e47c1a7cf1e64c30d566645fbe713ffe0

SHA256
5433b7a77dc26896205444c3558a47d09154732f8a03c86d3eefeff059061a08

SHA512
33ec67c7b7a5902540b698ad5c4d78d2d22029ce8d319db00e991b2efe2fdba9f65df01f0179b205feee206351d25a830b88f79885c7d136edc08b62de7c16d6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.984466

Filesize
27KB

MD5
0b3b67e07ec6ed653fc07d08ef04bcfb

SHA1
011ae6d94287f9855d4e545d887f432b77a4cdc2

SHA256
b460022d5db02e83cee363a81b2fd759d258d21d8123784fc31d165dc0622529

SHA512
215db8e4fb518a8eb4101f5a8449b660c21946e9555efce1452a5c3abeb6cd6e62ec4b4646265f4c1856faeb58a753d736e387169c299169999b9c0376a11a3b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.984466

Filesize
3KB

MD5
010f9ac813d4a905f1955cde41cbc897

SHA1
1258c704d41480f84e1cd3c030275f82a301565f

SHA256
e74e01090839cb82b1f99e8b65f3e622e5235f077da950cc17f4553b058bfd84

SHA512
9d363957b017d8aefaef12abf0575202098994c8617a78e550c07179e0a64fb47fde779c2771d7df622688aa87d35f941f36025ce3d8dce64af95d4e1476581e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.984466

Filesize
111KB

MD5
3b05690c43c49bf9d60958a04407ff21

SHA1
9126188e5a195dace097e93ea1e5497b8348f0bb

SHA256
47df467a75806b24a971e4a4491ff0cc5e24c3bd31d458f08f47082bf43ae8ab

SHA512
6c6cf0d23b7a9537a673ef6b0ed159860d93c8526d930f87f4da9bacf92b38ee3c0902d7d07bb8319911768f7110755d69440e71d93546116b8f9dfbf5beb867

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\61569559822ceaa5480611c6f33f14e6_721196e6-b31c-4e5d-b8d6-136c757b28ae.984466

Filesize
1KB

MD5
7df8bad42897b35f1d487f1a41b3a6d8

SHA1
eddf8dc21f53384f47da255494a3b8c7c2ad09dd

SHA256
37bb0ba69384e9f5efae3d0c52f8870908fe753915db3d3742caac8cd36d2eaf

SHA512
df944c8da3035ea3f5885b9313f63b3b9063878a4b0e2095348c2b21175380420346c6e726964c2b9aecf9f841b3d0dad05bba0be9e3182792aa566ce951336c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.984466

Filesize
174KB

MD5
8ebd3cf4bacf14b3c545ec86ac7a598a

SHA1
2f86eb7f2ae966fa3f816949ea4691eaee6aab3c

SHA256
c8d36fdba22f90b10b901d389ecb1c5891842131ebc325a439ff9912508a1b25

SHA512
dd27f53b414faaeed5c9dcbf9129cb74f9545437ab1559533aa7e12c33da660a548c113804cc5196dd77686af29fab3e941cb165c8a1b80dafe800ca800d11a7

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.984466

Filesize
111KB

MD5
5378bebb2dcaf654198e070ec981b04f

SHA1
86bb9350aa5ce0b1956832b0d9d0e459818f6a57

SHA256
95ee8ee36bd58939b04495fa1a73207dedadc6468450a4ff1fead0acef1535f1

SHA512
5bed7d81f4c3bf045402178765a151ff36fb3983117db538ab408698a27630c8291edccb5afd8ef8b84848c807c8f4d1b9c1d3b9dc62d0ff75832bc99dc4d482

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.984466

Filesize
12KB

MD5
2e2724cc350a71094007b67d7bd0dee1

SHA1
28c351ec07e57fb48cb098fe0f3abf21b33c22cb

SHA256
42898246414e529cee6aedb9ed1dd402c27e0f930bb3db430acdad60a353a19a

SHA512
f2242f0b6901ce664659de4682fddcac25b6ed4df57235704190369d9ea8aac387adf1a0204a53566fbb06bac1177d131f38860b872d15256a4454546070e337

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.984466

Filesize
506B

MD5
db76d694c8dfe95c6115f72a6f4a60fb

SHA1
eca17fc4fea2a5b616ca86da311fa0412b92a5cf

SHA256
f85e7e571638175ee1500c1ca2bdf826f541625aa8830af49364937cc974de28

SHA512
6eeafdabafe0a3623f9cd1ea714f22f86e19233eb4067360425810a942ee27ae77801a9a15359461a621f28cc3652dcbeb2349d7ae0223ed7e04fbbe3ece08df

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.984466

Filesize
64KB

MD5
47882dbc3b2b0d5ec35d2fae37b60e60

SHA1
43558b1d90e57cf0479ee3140c2d85c627c3b960

SHA256
31aeb71e07675278e35bf6b5cd5f4710db334f3c5c8deee9783d432aa5d7dd65

SHA512
aee07b84fc3a7c38711785c9afb39639f6a55871eb9a219d15c6b6a92fe16fb1f3764c051d9a8f9d52a7ce45b302497a0af7933bb324e78a3d5d8e48df2c73bf

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk.984466

Filesize
8KB

MD5
0d5de65a3c51105c05b688177d92c01d

SHA1
81429acf8952b653b3ed4a6f980ad73e9dcabd41

SHA256
231b34b3c51b264bd5abc49e81ba146322ec94907149ad6de7deff0d0e9549b2

SHA512
db3ce9aba93bb8c32139390e5ba6858e15bffed0dfeb5b991b4d94c5531cfd46bd7b3e967e68d9c01af5bc888823448184f1224f3c8274a236bdf707174e5058

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.984466

Filesize
64KB

MD5
cf7bc24aa88b871e81a8b5f2662b61ed

SHA1
09e80f9809f6294765580e19ab19f24207f12377

SHA256
f8fee7f5a643cfa6bbd70409613838affa8916727c94d074dfc5ae9ef1c6d442

SHA512
98fb529d4963e8ea61758533f85586d7b2149bf390430e2099fc854de63659d40e9528d7ab11b31276ba70e43e4b62f53ce1a35cee9c05fb80ed3e95bd0f44d5

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log.984466

Filesize
64KB

MD5
c00fe74e8d3d5cbf5eba63b15470f5d2

SHA1
a001c244bd68a1bdc581367412db67d4cc98df94

SHA256
80067ef685dc58f40b333b63d36bd38331bbe29a77634eb9f85daf7ee26b607f

SHA512
a9c7bcf051aba433b2a0fac3159e3f605049ddf05beaffdc51264e27d2b83c084d36c5cf453663aa77244b1d8a2d337fc398e5cb2a014ad03d4069e6d90d1ccc

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.984466

Filesize
64KB

MD5
2e51ecbd1d455f5437d3b15be2dcbbf0

SHA1
0d6310467e524087f4394fcbda30c3985743e361

SHA256
5514881b72fd9512dd589ed85102178509252c34fc227d616494f75fc26d75b8

SHA512
6a0b910aa6a3420ca628ca073475cb10ed91a6973b5283a2e7c60bbabb8a83a5538043bd58a61678b6d80ac9eae0e90d97e9273bc61a1551eda4dc99f62d12ed

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.984466

Filesize
64KB

MD5
273873926fceb4580e915c6450448a98

SHA1
2a204e6dfe96755c671957d17049c8cba3cb3e76

SHA256
57678e12754ea9b1b3caf2b39a8215facd467da99e51adf225e1f25f2bf7f21b

SHA512
75926fb965c29c3fd57c2ca526e277bf34004f2837759f7fc237488d36bace2f928cc37a8f10780eeafe669b2bf5c1e2962c6bead762f23eeece3c6da89e4a98

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\CortanaUWP.json.984466

Filesize
531B

MD5
ae122bfb04a976e7f36e0bf28fc5891a

SHA1
3c4d3a7aaf33b688a997db93af94eba0ec49ce85

SHA256
8d899ce5ad22855a76019818ae8821f1f7e60ba9faf69af39b3cb4b03d6e3743

SHA512
35429ac9b8b74f15f314d1a12675adc1f27118d6fe49788aa07a0906f5e05f8f5957eb68c1f3200f9b54687ed0d94f5b54d7bd651a1fc7a66466b452ea98446c

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\FeatureConfig.json.984466

Filesize
33KB

MD5
a32566334940cfc6ff5b67ba5be8c428

SHA1
ded967ac4829b78156ff9ef5cf8acf86aad8a188

SHA256
1ea0bbc39c5488e449fdee03353e5c204557dce3fc430162be9821f81b88655f

SHA512
ff41e95b976687bdc894b82c8784c165f8da98545a6d9e96c2425356b8c1fc8f999f6e2614ada30f65666dcc6898216f71d907964cc3216762f82fe5c1b2798a

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\state.rsm.984466

Filesize
1KB

MD5
a29371bea51aa6b31d17eeee8b4a4510

SHA1
4833e868b30d4ee7f3be3267fb0e47e1658d1c4a

SHA256
45ab11ac2d5af73ce1e1bd113cb0fcc92d506de4121d1681cf80a3133bdee1af

SHA512
98d0b8babd315681dbd142961c2437bf831be71923671a2786864a5bcb6c6a8027dc64ea3e52cb4d638f93f9bb251224ca36f7e87c20fb2782760c72047ad446

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.984466

Filesize
1KB

MD5
79413e5509d7c62762d2774d1ec7aab0

SHA1
6e2e39e48a9e1ee40cbea075b36812d4f86d0a46

SHA256
f87e6063bf5078c9980c0ed28589ca6dec1e52309c8d82ee89ab6de602c7ccb5

SHA512
cb13d1a16a7ce102dd6f55727ef3534078ebf531f5791e6fbcd63560b5edc1c207cff2dbaffcf4a8a0293ff1db02f977a808a9bd3d8f27b9a240192b77061e0a

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.984466

Filesize
1KB

MD5
0bdd5a02f44daad93ec7ec2344a00c0b

SHA1
cf0e7d3837ad2490e65deaacbf45f2dd4e2c40b0

SHA256
4730a9f946e0c88d1c9b1b6c0871ffd7669444054a97a1ea924a4514937510fd

SHA512
557dd2200ae5694b0e5c40d2dabee1c1215b0e29514398fcd27c6705f3993bed222956a855b8ed8eb0e803d38ea0eb39eaca99312e7ead3b8301bcbe2c634817

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.984466

Filesize
1KB

MD5
55d8240a0c481fe19baed2d10c3cc4ba

SHA1
4ba0fe4ea3b97d5deb165ad5eb2237cb52332967

SHA256
2025aed437afe72d2d0a285884e8c27640c30ab5beed6c2dbd6f5a6837da053d

SHA512
0643f673633b9d921f54066fb0212f661cda3d36204afb269d82afdf83b517cf3c4a6f6f777f3aefd710c60a0413f2af00b8f8bc2a2124e3ab9af610e61ffcbe

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.984466

Filesize
1KB

MD5
62bf22c0c8587f8996e32a0916e0b7e7

SHA1
64f231900a9cee67c07b985201c292f8bd290b9a

SHA256
2ed1e59f27f8ffcc634bb7b454d347ab76878895135827d02311bdc17dca81cb

SHA512
819da5a4e1576f6d80b3ffd945f313327d28742b7bbfb996662610a9aec56f5834581fd3e3910db4180499d58de032f96245bdaafcfb2a2bcbb68549100d6214

Download Submit
C:\Users\Admin\AppData\Local\Temp\3445.tmp.bat

Filesize
109B

MD5
10f3aa1fa569d1f1f59bee1ec20b698c

SHA1
08da8417c4bf2855ec1c20a04fb4a0d3da04bea8

SHA256
f268d0a1362df6cb04b382027cb866cfb78cf0b215152f814275d761d9ef50bf

SHA512
89f825953e5e5273e675811e944edeefe0ec0e7f596391da442107a26b5921fbc3f91feeebdfa65270075a132233d0b5e3a2ef9132450bc97e9cd048fb817a90

Download Submit
C:\Users\Admin\Desktop\984466-Readme.txt

Filesize
1KB

MD5
29d9599f0bb17b09fccedc6958374c41

SHA1
514ff349121a9c5129a037eac390f436158b77f8

SHA256
4ec55deb41320fe9d1cc19ac1bb0e950dc4b84cb6ab9e54e2dc96a3685e29596

SHA512
2e6c21fce00c66160f6e704ce2ddb4f0192bf4b874ab716ebdcd725bceb2c4451d118c02dd6a844e84cf4ea16af5abb7b70848dc445d7f4f2f3b1d2c9d47ec02

Download Submit