netwalker | 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160

Analysis

max time kernel
91s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Size

296KB
MD5

258ed03a6e4d9012f8102c635a5e3dcd
SHA1

a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
SHA256

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
SHA512

967414274cb8d8fdf0e4dd446332b37060d54a726ab77f4ec704a5afe12162e098183add4342d1710db1e1c3b74035a001cf4c2d7790a27bf6d8381c34a96889
SSDEEP

3072:Kv4ZAWXDSxcoWn+v75ssiEcx7fWr5JNfb23y2O1Nm5dc:B1X7vwVspdOJND01

Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\C1DE0E-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c1de0e -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c1de0e: Wpl09i49IjkDLXkWTiccIfn8SRYWDe6wYdCETzGSxYXxPpO/wb AHrRNGNddLthR1fiW3wxSugDJIlmuMaTmSxFxQy5klfpwv41Zj AmdLD7L/MJGsVt3UlVixbXpyZz9vPssGZ2mA3P4CEN3G8/q/Kb l8XzlzLaIv8u8mjDt+k4orVlP5xFYos2OAjUd/y6dOIEZ1SfRA k8ZocZH7R2F01X3mAvghwzqIp3AKxgv+8idzTN1jQr6HxVt6fi USn5UIIB8Ni9mI4H5D5428XSPvi99rzeJaysLxhw==}

URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Detected Netwalker Ransomware 6 IoCs

Detected unpacked Netwalker executable.

Processes:

resource	yara_rule
behavioral2/memory/1448-1-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral2/memory/1448-3657-0x0000000000400000-0x000000000044B000-memory.dmp	netwalker_ransomware
behavioral2/memory/1448-4074-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral2/memory/1448-8844-0x0000000000400000-0x000000000044B000-memory.dmp	netwalker_ransomware
behavioral2/memory/1448-8855-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral2/memory/1448-8854-0x0000000000400000-0x000000000044B000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6663) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessResume.dotx	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-300.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sq.pak.DATA	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\caution.svg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr.pak.DATA	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-unplated.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lv.pak.DATA	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-20_contrast-black.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-400_contrast-white.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CommunityInterop.winmd	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.winmd	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Marble.dxt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Advertising	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-200.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLashEye.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-125.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-64.png	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\C1DE0E-Readme.txt	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

notepad.execmd.exetaskkill.exe8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

220 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

100 taskkill.exe

pid	process
220	vssadmin.exe

pid	process
100	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

pid	process
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Token: SeImpersonatePrivilege	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
Token: SeBackupPrivilege	212	vssvc.exe
Token: SeRestorePrivilege	212	vssvc.exe
Token: SeAuditPrivilege	212	vssvc.exe
Token: SeDebugPrivilege	100	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 220	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	vssadmin.exe
PID 1448 wrote to memory of 220	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	vssadmin.exe
PID 1448 wrote to memory of 6776	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	notepad.exe
PID 1448 wrote to memory of 6776	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	notepad.exe
PID 1448 wrote to memory of 6776	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	notepad.exe
PID 1448 wrote to memory of 5132	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	cmd.exe
PID 1448 wrote to memory of 5132	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	cmd.exe
PID 1448 wrote to memory of 5132	1448	8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe	cmd.exe
PID 5132 wrote to memory of 100	5132	cmd.exe	taskkill.exe
PID 5132 wrote to memory of 100	5132	cmd.exe	taskkill.exe
PID 5132 wrote to memory of 100	5132	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe
"C:\Users\Admin\AppData\Local\Temp\8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:220
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\C1DE0E-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\40DC.tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 1448
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\C1DE0E-Readme.txt

Filesize
1KB

MD5
ced5d1fd96cf65fdb887325a0d043836

SHA1
d6b28cbe625a552adbb301ec3b6a0bc9da49663a

SHA256
0357326e34a9592565db48dda9c866be08af827987be4d53f7f14680808aa1da

SHA512
caa755da171754e4995bb7e27cbedc04c14ed1baeb452faa6ef3780efa0bab8d8f01e4ad89ff7e10fb5c26d2b13112ef3ba76cab8f6f4576872feb9168e91eec

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.c1de0e

Filesize
910B

MD5
23b8fc2ab4b2b318f1a65b53db9cd39a

SHA1
aaeffe19b365c4012e9d79e53151e13067256fb2

SHA256
f5da131481654861a9494399ee6b13270e756a6cd71755eda5de52f2b7b7a741

SHA512
7d5ed4b4625dda4fb8174a8589949e72893dd77ada063bdad4f450c64d86ba65b715fb961b16f6ab6dff2413342d1e9cd0c6ee94d94516bb42fd99e83ece460b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
f28901b2e264545882d7011ae266792b

SHA1
6ca7ff375ab61de1388a4fd5e5db0a667326fbdc

SHA256
b53dfccff55cb569eb6bfb17d5b724ecf2f4a6d020cd21f9c07fbb71496e299c

SHA512
c3773c10413af21a5f5bc5479ca3773cbd04ae2237abacd2a3059e1bec40aa470f7e096191ccf72fa484d9c002329f07684c65ceae42f496e819c27c158d46db

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.c1de0e

Filesize
24KB

MD5
939dbfdc0814ff798a823188918459e4

SHA1
9932dd4320d53b778647b8055de91e98ad1760b4

SHA256
c278f93b06ad0bd13bf7330a00e4025fa538881bc2e764bae8724aedcb5a88ed

SHA512
3213f958456010b630e1e37d18fa0afb979084e09c75532bd29533db2939fa66ef89c819b67689261b2960e81ce712dccbc1ef720a03e4bbcfa96d0d9785bcf0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl.c1de0e

Filesize
1KB

MD5
db82d8b0bec41ac084b97141a883900f

SHA1
ca1d47d02e3250aa7e8d4417da0417493deb63a6

SHA256
0c8995db5466db6a0f4e3eeb0689c132a0b5f9f2cf48663548040e76743dddf7

SHA512
b9a1248526c33d4e84ea532ac8092d1019d849fcc1af1a91dfe92d86ab10fad9af59fc939f9b800245bb04451915d282d0e5ee44378b28e1390c26c032b19560

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml.c1de0e

Filesize
3KB

MD5
28a1b3ce5d4633fc95f1e0de8089e52d

SHA1
934069abd14c6b300c6da585171a847b7897e292

SHA256
1248b274c793b33ad25c6b19113cdadc23419e44401a8c1b5cdd97844e2026ff

SHA512
85a9312208e418a9ce78226b11cbed99845b4e289eccf3b58e40f324775cc7023057439021679f8ce9698d132488339ac6e3dde2ec8b648b7f179fec8284636e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml.c1de0e

Filesize
2KB

MD5
e5b083cafa3b387f50cbe1797a48ec71

SHA1
2c500d2fbbec256f036fc757bd1139f2a2d0f1e1

SHA256
5ccda1f1806d535b7ab748dc019151b4dfa277cdb1672fa75a6ff8befeed3dee

SHA512
de40310a7c1f6e7161ee8c24c69bcb333b1301164c6f2051b5a9a8d2069d2250a90d7717b7a4b9a48e50c504361d291ccba1934b63b60a890592eb61742af94b

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml.c1de0e

Filesize
2KB

MD5
e3f8bf7c158b3af651125ba5e6457f38

SHA1
721e603f5f88512da634cd8088b3ceec722fbf07

SHA256
5e2d9b6ba4f9bf528e74f3562ffbf4137e4be8a442f1a89305d9a56589c92a0a

SHA512
ddeb879549bdba8d3e5e16b3f13a085be12281c753dfc82054d20c1f9bb0206d2244020af90ca37a49f3d9153062c368c08948bda38d566401de4fd47aab7fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\40DC.tmp.bat

Filesize
141B

MD5
1ae668f78ca5429b35d714fb0020f74d

SHA1
cce37d07d43171590c1af22ce0217dfdbe26ad61

SHA256
e02359d2ed3c7ae591a6789fb7d056ad320ae0179c5875fc654b5cbad03cdd16

SHA512
2956c231404c0d28b67e71003cb8f2f894f6ec570d507c8eb9f2b74ecfcbf4f41f9ad09235b2341459ce4f2ae3427c21d4d2d6b3c62a9fcdb2a0bda1db695a79

Download Submit
memory/1448-3657-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1448-4074-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1448-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1448-8844-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1448-8855-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1448-8854-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1448-0-0x00000000005F0000-0x0000000000616000-memory.dmp

Filesize
152KB

Download