netwalker | 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Size

296KB
MD5

258ed03a6e4d9012f8102c635a5e3dcd
SHA1

a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
SHA256

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
SHA512

967414274cb8d8fdf0e4dd446332b37060d54a726ab77f4ec704a5afe12162e098183add4342d1710db1e1c3b74035a001cf4c2d7790a27bf6d8381c34a96889
SSDEEP

3072:Kv4ZAWXDSxcoWn+v75ssiEcx7fWr5JNfb23y2O1Nm5dc:B1X7vwVspdOJND01

Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\2FAF28-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .2faf28 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_2faf28: 0gcodg9II6luesrgeBVOAjE8dnxvUTjzr7idm+m6FrKRRhQa73 YwdoqUj5dig3bzoeWOHcVLQb4SIfnIEwBzOFhnYVeUaaZ241Zj Al6KTHAuECu2IBngwPmccSB1ZfvoKI6Z72swIveso29CSQn8yK VesCbv0AUNvOmr7mw9Wj5a97MEFA9xyb8I0fyy1YKnIvEl+8Gx Q7gY+0+Fw6JErysRrdC0DreRVIJFm5CPXdJP40jWCaZYvemfm7 nR008afyEi7x7BoosR5TqYzAiRr7Hfko0gkiYIxQ==}

URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Detected Netwalker Ransomware 6 IoCs

Detected unpacked Netwalker executable.

Processes:

resource	yara_rule
behavioral1/memory/548-1-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral1/memory/548-1948-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral1/memory/548-2276-0x0000000000400000-0x000000000044B000-memory.dmp	netwalker_ransomware
behavioral1/memory/548-6877-0x0000000000400000-0x000000000044B000-memory.dmp	netwalker_ransomware
behavioral1/memory/548-8311-0x0000000000400000-0x000000000044B000-memory.dmp	netwalker_ransomware
behavioral1/memory/548-8312-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7383) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2904	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\2FAF28-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\2FAF28-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\2FAF28-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00910_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19695_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_ON.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00058_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\2FAF28-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\2FAF28-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Lima	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\Java\jre7\lib\2FAF28-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14833_.GIF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230558.WMF	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exenotepad.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
1792	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
5428	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

pid	Process
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exevssvc.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Token: SeImpersonatePrivilege	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Token: SeBackupPrivilege	2604	vssvc.exe
Token: SeRestorePrivilege	2604	vssvc.exe
Token: SeAuditPrivilege	2604	vssvc.exe
Token: SeDebugPrivilege	5428	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.execmd.exe

description	pid	Process	procid_target
PID 548 wrote to memory of 1792	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	31
PID 548 wrote to memory of 1792	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	31
PID 548 wrote to memory of 1792	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	31
PID 548 wrote to memory of 1792	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	31
PID 548 wrote to memory of 2264	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	36
PID 548 wrote to memory of 2264	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	36
PID 548 wrote to memory of 2264	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	36
PID 548 wrote to memory of 2264	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	36
PID 548 wrote to memory of 2904	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	37
PID 548 wrote to memory of 2904	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	37
PID 548 wrote to memory of 2904	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	37
PID 548 wrote to memory of 2904	548	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	37
PID 2904 wrote to memory of 5428	2904	cmd.exe	39
PID 2904 wrote to memory of 5428	2904	cmd.exe	39
PID 2904 wrote to memory of 5428	2904	cmd.exe	39
PID 2904 wrote to memory of 5428	2904	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
"C:\Users\Admin\AppData\Local\Temp\8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1792
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\2FAF28-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\473D.tmp.bat"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 548
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D.2faf28

Filesize
12KB

MD5
01514c62717f0636a3ccce6a9f036916

SHA1
fbf6438a73f27a6d453672d3e35a3c23ee8221e2

SHA256
5284b700de79afe5fa7d175e3681f5c67d1c576555b2bf0d44e3aba94e69dbf6

SHA512
78d8db13ee38e91cfbb49602477fd0d353b3cd0e7d4f7f81237f6c7f90379397fbfc45353b6cd5f09a170c13c4046980547e7c663a28dc098e506db822a93d74

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W.2faf28

Filesize
422KB

MD5
5d205aeb2582bf4ab89dd70c29154ccd

SHA1
182619a9b8b9780ffb9433ada800a8bfba85c9ac

SHA256
d5845d396bbd1d1ca6c75a8bab6007a985acb38d0e9f8903f398c18a4449eb65

SHA512
7ea58c35c2ef4f81df85d3e717c32b57c75203fec5ae4b85411e7661258fb86e33b98a528892a1bdf87948feb0d6eaed9ae9708d930c8a012b70365e41a8c2c9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MTOC_help.H1H.2faf28

Filesize
546KB

MD5
29e162eae22da9865e2bfc1f42e18b95

SHA1
c82d2f64222c3612f5e2410b46e2dceee84658ea

SHA256
9c32f5da741e9daf2f1ea644da007f41438b77cdf2d761890ae17b0cb093afc9

SHA512
966a7a7028312ad51122bc003131579dc5da64739b4271918620146bc182a032734db2fdae95922c3af9d9f9262a0146d6249b699461cd7d8e9291262bec465c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D.2faf28

Filesize
14KB

MD5
2a5df62ebac1137a957759f1d1013233

SHA1
230306002558c4ca122997e1274415f2dd2c39b8

SHA256
f525f4ebbb3fa5ad946a31c442bce3962f97563de7b431360805d1950b30c7b6

SHA512
5b2cd8f0796ad49c934f57f685f7a04591a1254735faf3768e82e3bbdf9868d80e0979986ef98bc418abb8ab4252194ab3fae911ec73244216ff97ab5e38975a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W.2faf28

Filesize
229KB

MD5
33d592dc4bef454dcfcc943404bff5c6

SHA1
c0e82a9999a8e95141fdeef7f6550d1b89339561

SHA256
d813dc2c2df2fe156e1f3eb69891f7045163cbb058bef99b5fb72bd1d1337f12

SHA512
b90f7e02d86a347a169a2c3a9af7430483607abfb8089c8a1c21eea6a432a3aa3905982fe737f0dfaef4391b05ba8f1e1b67af81f405ff528fed53d0824e4b4a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W.2faf28

Filesize
357KB

MD5
911bc9d755940bbb7c87a03e6a54c439

SHA1
8ae740547530b4e923a09272b6d24a37971024c4

SHA256
3cc0a18d2027bbedbd22d96d20eaad2b374a8429f42b5348b26b63d98ffed1d3

SHA512
851edcc6237bde74b391d7c37dd5ad1d9ca60790177fa7462e27462c338d334ef54c5b99bf2c74626382bf0d000b5740dda7e0b275ee5d46caf5f7a60098eb47

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H.2faf28

Filesize
352KB

MD5
877687b1b04e9e1c87b5e91fa19576e2

SHA1
db82f730bde050578a80e290d45fa4553196cdeb

SHA256
2bf8a4adbdd0f39523efb9006fef9bcf3b50d3853334fa90d18ee73d2f8be4b7

SHA512
e129b854a8b53d753eb91b85adce40e75be584de5dd4d2c35e2c15d2cbbd6aa39e8bdfee1cd19e097819f8f2d2125d1aa62d29aac44365f94101b1ba3306bc36

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.Lck.2faf28

Filesize
284B

MD5
636efe0f5e9b28e7d3b9336ac7470ce5

SHA1
78ecd9112f178bd1b20d716c44c184d90132223e

SHA256
4f76a0c655c27a1b8bc4e71b7043ad288d07ca9f0e3616e184f8564dc11ea86e

SHA512
e31460be9c82acb5b755dbf2b981af727dcf64e4856228dd3da7d465cb48066393ea60b9d9fc17dbda6cb0b50343c5cd5490fe72d6ed8365b130991d8a60c02c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help{E1E8F15E-8BEC-45DF-83BF-50FF84D0CAB5}.H1Q.2faf28

Filesize
1.2MB

MD5
66dfd4b49ffcf7cdd48fe7ec9c5de49d

SHA1
cda02fe668988a285d7544ea99d89f411ae68d8f

SHA256
0aa4ee75ebe46172fda4e39cafb411c5ee0d3eb33afc8fdb84e1a1f48a410071

SHA512
d1fe26ddf586fce003435d3672a2980df11e7168a8b650655bab2baf96768918d906ffa5ce2c42799fffe05eff8a95a1aa4fea372bf43cc09b71f5e1b40b3678

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\2FAF28-Readme.txt

Filesize
1KB

MD5
87d8824c9a6f302b3ef5d18d6acdee7a

SHA1
655e9a41d867c854856d3200b6b7df01e89516c8

SHA256
6111f2d1fab67db7af88a2d3774c7fc9bfe5f5f8983af1186ea4bc6296d98963

SHA512
b70f8d53814ed9514e618151805a8a26377645d477c6d5e43c49406df311f615e6afa0d402ab7ba80f7d68d21b3a9eabb3ee6f6342b0618c027bcee585f121b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\473D.tmp.bat

Filesize
140B

MD5
90e822212c4e1769a5ec347d90e574e6

SHA1
32d80ed19d13ac04958ea420b76a2849ee02598c

SHA256
5715b23eeeb9c46be3bd313454bc23d0b8d2f357a71e9e586b4fde24829095ae

SHA512
558811b1d3e1d55d2eabfbbe5c258e4adafb73b39959c87462c0ad6de9deff8db2a8d469de9ba0cbbe22efc207ff0b0f34ac1317afb6239be358db14877a9726

Download Submit
memory/548-0-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/548-6877-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/548-2276-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/548-1948-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/548-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/548-8311-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/548-8312-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download