Analysis
-
max time kernel
91s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 20:35
Behavioral task
behavioral1
Sample
8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Resource
win10v2004-20240802-en
General
-
Target
8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
-
Size
296KB
-
MD5
258ed03a6e4d9012f8102c635a5e3dcd
-
SHA1
a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
-
SHA256
8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
-
SHA512
967414274cb8d8fdf0e4dd446332b37060d54a726ab77f4ec704a5afe12162e098183add4342d1710db1e1c3b74035a001cf4c2d7790a27bf6d8381c34a96889
-
SSDEEP
3072:Kv4ZAWXDSxcoWn+v75ssiEcx7fWr5JNfb23y2O1Nm5dc:B1X7vwVspdOJND01
Malware Config
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\C1DE0E-Readme.txt
netwalker
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Detected Netwalker Ransomware 6 IoCs
Detected unpacked Netwalker executable.
resource yara_rule behavioral2/memory/1448-1-0x0000000000400000-0x0000000000414000-memory.dmp netwalker_ransomware behavioral2/memory/1448-3657-0x0000000000400000-0x000000000044B000-memory.dmp netwalker_ransomware behavioral2/memory/1448-4074-0x0000000000400000-0x0000000000414000-memory.dmp netwalker_ransomware behavioral2/memory/1448-8844-0x0000000000400000-0x000000000044B000-memory.dmp netwalker_ransomware behavioral2/memory/1448-8855-0x0000000000400000-0x0000000000414000-memory.dmp netwalker_ransomware behavioral2/memory/1448-8854-0x0000000000400000-0x000000000044B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (6663) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimelessResume.dotx 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-300.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sq.pak.DATA 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\caution.svg 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr.pak.DATA 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-unplated.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lv.pak.DATA 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-20_contrast-black.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-400_contrast-white.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CommunityInterop.winmd 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.winmd 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Marble.dxt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Advertising 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-200.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLashEye.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-125.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-64.png 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\C1DE0E-Readme.txt 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 220 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 100 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe Token: SeImpersonatePrivilege 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe Token: SeBackupPrivilege 212 vssvc.exe Token: SeRestorePrivilege 212 vssvc.exe Token: SeAuditPrivilege 212 vssvc.exe Token: SeDebugPrivilege 100 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1448 wrote to memory of 220 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 84 PID 1448 wrote to memory of 220 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 84 PID 1448 wrote to memory of 6776 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 97 PID 1448 wrote to memory of 6776 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 97 PID 1448 wrote to memory of 6776 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 97 PID 1448 wrote to memory of 5132 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 98 PID 1448 wrote to memory of 5132 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 98 PID 1448 wrote to memory of 5132 1448 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe 98 PID 5132 wrote to memory of 100 5132 cmd.exe 100 PID 5132 wrote to memory of 100 5132 cmd.exe 100 PID 5132 wrote to memory of 100 5132 cmd.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe"C:\Users\Admin\AppData\Local\Temp\8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:220
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\C1DE0E-Readme.txt"2⤵
- System Location Discovery: System Language Discovery
PID:6776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\40DC.tmp.bat"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 14483⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:100
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ced5d1fd96cf65fdb887325a0d043836
SHA1d6b28cbe625a552adbb301ec3b6a0bc9da49663a
SHA2560357326e34a9592565db48dda9c866be08af827987be4d53f7f14680808aa1da
SHA512caa755da171754e4995bb7e27cbedc04c14ed1baeb452faa6ef3780efa0bab8d8f01e4ad89ff7e10fb5c26d2b13112ef3ba76cab8f6f4576872feb9168e91eec
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.c1de0e
Filesize910B
MD523b8fc2ab4b2b318f1a65b53db9cd39a
SHA1aaeffe19b365c4012e9d79e53151e13067256fb2
SHA256f5da131481654861a9494399ee6b13270e756a6cd71755eda5de52f2b7b7a741
SHA5127d5ed4b4625dda4fb8174a8589949e72893dd77ada063bdad4f450c64d86ba65b715fb961b16f6ab6dff2413342d1e9cd0c6ee94d94516bb42fd99e83ece460b
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
Filesize3.3MB
MD5f28901b2e264545882d7011ae266792b
SHA16ca7ff375ab61de1388a4fd5e5db0a667326fbdc
SHA256b53dfccff55cb569eb6bfb17d5b724ecf2f4a6d020cd21f9c07fbb71496e299c
SHA512c3773c10413af21a5f5bc5479ca3773cbd04ae2237abacd2a3059e1bec40aa470f7e096191ccf72fa484d9c002329f07684c65ceae42f496e819c27c158d46db
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.c1de0e
Filesize24KB
MD5939dbfdc0814ff798a823188918459e4
SHA19932dd4320d53b778647b8055de91e98ad1760b4
SHA256c278f93b06ad0bd13bf7330a00e4025fa538881bc2e764bae8724aedcb5a88ed
SHA5123213f958456010b630e1e37d18fa0afb979084e09c75532bd29533db2939fa66ef89c819b67689261b2960e81ce712dccbc1ef720a03e4bbcfa96d0d9785bcf0
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl.c1de0e
Filesize1KB
MD5db82d8b0bec41ac084b97141a883900f
SHA1ca1d47d02e3250aa7e8d4417da0417493deb63a6
SHA2560c8995db5466db6a0f4e3eeb0689c132a0b5f9f2cf48663548040e76743dddf7
SHA512b9a1248526c33d4e84ea532ac8092d1019d849fcc1af1a91dfe92d86ab10fad9af59fc939f9b800245bb04451915d282d0e5ee44378b28e1390c26c032b19560
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml.c1de0e
Filesize3KB
MD528a1b3ce5d4633fc95f1e0de8089e52d
SHA1934069abd14c6b300c6da585171a847b7897e292
SHA2561248b274c793b33ad25c6b19113cdadc23419e44401a8c1b5cdd97844e2026ff
SHA51285a9312208e418a9ce78226b11cbed99845b4e289eccf3b58e40f324775cc7023057439021679f8ce9698d132488339ac6e3dde2ec8b648b7f179fec8284636e
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml.c1de0e
Filesize2KB
MD5e5b083cafa3b387f50cbe1797a48ec71
SHA12c500d2fbbec256f036fc757bd1139f2a2d0f1e1
SHA2565ccda1f1806d535b7ab748dc019151b4dfa277cdb1672fa75a6ff8befeed3dee
SHA512de40310a7c1f6e7161ee8c24c69bcb333b1301164c6f2051b5a9a8d2069d2250a90d7717b7a4b9a48e50c504361d291ccba1934b63b60a890592eb61742af94b
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml.c1de0e
Filesize2KB
MD5e3f8bf7c158b3af651125ba5e6457f38
SHA1721e603f5f88512da634cd8088b3ceec722fbf07
SHA2565e2d9b6ba4f9bf528e74f3562ffbf4137e4be8a442f1a89305d9a56589c92a0a
SHA512ddeb879549bdba8d3e5e16b3f13a085be12281c753dfc82054d20c1f9bb0206d2244020af90ca37a49f3d9153062c368c08948bda38d566401de4fd47aab7fe6
-
Filesize
141B
MD51ae668f78ca5429b35d714fb0020f74d
SHA1cce37d07d43171590c1af22ce0217dfdbe26ad61
SHA256e02359d2ed3c7ae591a6789fb7d056ad320ae0179c5875fc654b5cbad03cdd16
SHA5122956c231404c0d28b67e71003cb8f2f894f6ec570d507c8eb9f2b74ecfcbf4f41f9ad09235b2341459ce4f2ae3427c21d4d2d6b3c62a9fcdb2a0bda1db695a79