netwalker | 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8

General

Target

(2020) Netwalker.exe
Size

69KB
MD5

80372de850597bd9e7e021a94f13f0a1
SHA1

037db820c8dee94ae25a439b758a2b89f527cbb4
SHA256

2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8
SHA512

f43db3569ac60d6ed55b9a3a24dcb459e14b0bd944e9405a8cb2bfb686eaeff31c82ffcd6c477d6a6affe9014ae8ed7d8af174e8ceebbcf00b64ad293901a77a
SSDEEP

1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+Pd71vb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3F7t

Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\2FD520-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .2fd520 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_2fd520: 4KyOsro65d8fSqpCLRv5yqB1AmVW+UcbIzWmN4yILtbKBeaDsK mU8h+sc0f58Q2kD59nOJe3+JJ2BDAlLQ3TFtL1q5Vft3hTAg4e DcBB0TrafQKYth4x/Rj7nja9OOO6qXUYsLqPTSQ51YnVPjzq4l 4ZkUnUBC/4p/I0GeTbqYQB9HKyBmK1JzY03Qa+RlFcyiy2VbXz n3nKvb2G5IOWJ3VdFoQFP3xaHhADVOHAJa07aHUhhcd7U2+k6V XnDMxZ8LWeW9jpLcXfbwdlAFFhKQIby/gb9ojM4w==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Netwalker family
netwalker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6807) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

(2020) Netwalker.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\2FD520-Readme.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-36_altform-unplated_contrast-black.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\plugin.X.manifest	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\DemoNotebook.onepkg	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\ui-strings.js	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-lightunplated.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-125.jpg	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\8px.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	(2020) Netwalker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.model	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBarNotificationLogo.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea23.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\ui-strings.js	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxManifest.xml	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-default_32.svg	(2020) Netwalker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.scale-100.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms	(2020) Netwalker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\2FD520-Readme.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	(2020) Netwalker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\2FD520-Readme.txt	(2020) Netwalker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\2FD520-Readme.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\ui-strings.js	(2020) Netwalker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\2FD520-Readme.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_contrast-black.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLB	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2437139445-1151884604-3026847218-1000-MergedResources-0.pri	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	(2020) Netwalker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\2FD520-Readme.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-white.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png	(2020) Netwalker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\2FD520-Readme.txt	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-200.png	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\selector.js	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	(2020) Netwalker.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	(2020) Netwalker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png	(2020) Netwalker.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

(2020) Netwalker.exenotepad.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(2020) Netwalker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

4048 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

9824 taskkill.exe

pid	process
4048	vssadmin.exe

pid	process
9824	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

(2020) Netwalker.exe

pid	process
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe
5108	(2020) Netwalker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

(2020) Netwalker.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5108	(2020) Netwalker.exe
Token: SeImpersonatePrivilege	5108	(2020) Netwalker.exe
Token: SeBackupPrivilege	5056	vssvc.exe
Token: SeRestorePrivilege	5056	vssvc.exe
Token: SeAuditPrivilege	5056	vssvc.exe
Token: SeDebugPrivilege	9824	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

(2020) Netwalker.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 4048	5108	(2020) Netwalker.exe	vssadmin.exe
PID 5108 wrote to memory of 4048	5108	(2020) Netwalker.exe	vssadmin.exe
PID 5108 wrote to memory of 4628	5108	(2020) Netwalker.exe	notepad.exe
PID 5108 wrote to memory of 4628	5108	(2020) Netwalker.exe	notepad.exe
PID 5108 wrote to memory of 4628	5108	(2020) Netwalker.exe	notepad.exe
PID 5108 wrote to memory of 5328	5108	(2020) Netwalker.exe	cmd.exe
PID 5108 wrote to memory of 5328	5108	(2020) Netwalker.exe	cmd.exe
PID 5108 wrote to memory of 5328	5108	(2020) Netwalker.exe	cmd.exe
PID 5328 wrote to memory of 9824	5328	cmd.exe	taskkill.exe
PID 5328 wrote to memory of 9824	5328	cmd.exe	taskkill.exe
PID 5328 wrote to memory of 9824	5328	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\(2020) Netwalker.exe
"C:\Users\Admin\AppData\Local\Temp\(2020) Netwalker.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4048
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\2FD520-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\56A.tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 5108
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.2fd520

Filesize
910B

MD5
9933b71209c74a9611ad1b07475c5104

SHA1
67a8774dfb94fe9ce36d4e99218ef30cd32846c9

SHA256
ab7fbdcde0c7c9cfc7fe1e78379f9edb7bc1978de19da6010e877b09deeeb3fa

SHA512
b7877a86aeeba72fbc7ef5f290df7b70bd500ec60aba4ca1aa934272306bc91a6d5786d6db6a592f7b48528c173caadc07b94039431d45c3ac7f7a4add93e2fa

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
b9dd02b913c5213c4abc90dfd072a2c8

SHA1
8972c5850b97549ac488c707637cd1d288d943c5

SHA256
918654bf2a7a712197462d803f8c803e26c29d616d68692d5fa64e22f6b8f4c8

SHA512
332b4443eaa827c5eb767dac80a7f1b1fa177f4b27394fd0a33a9d0c393a4e940f1fcbbd89564b62cf125bbfd10023eabc3cb8249f7d3c20ae608612f04ef0b2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.2fd520

Filesize
27KB

MD5
cf1c64e3d358bfbddb7726eb9489dca2

SHA1
e438c6487aecde93c0615a393f1af3cf4ec6ece4

SHA256
b1b5402204274df0007907f0dfc4e5d281e793ff28070ffdee44af88d561b613

SHA512
da29bbbf5f6be376d4a69551435d55603a4be74bb85a3874278fbe7cfb72d3c8ab185e23ab8a131d17ac87eafedf1f259f16b269daef0499f79cb72616cdc60c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml.2fd520

Filesize
4KB

MD5
814132aa71a17b0c6f3e1ebdfac0b017

SHA1
0303d1de33cc04f8fecde527b8cb83cbc394339a

SHA256
940fe14bb8c8739f40e3cd9c7b3e3361a3ab974e43da4ff68aee1d1374fbd0e7

SHA512
0be2cf197ce2968ebdf8391b3ec5fa72b4b964b1d3d9623e595a8959423a60c4b10c11a93fdd9113f37179bfe78c098a1f581de97ab99cec58717daf22c450e0

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\2FD520-Readme.txt

Filesize
1KB

MD5
9c47d6224a370614ba402213938ebeff

SHA1
0a157ffe45c92778f9206164a237b764bdfd7986

SHA256
c402072a15fe89441a65b9704269b192ab04428ee979c990a752af55696c4aaa

SHA512
6136a3fba15fa2b9d9a57d0c9382f45521948c2de28ecfaaeb11cd77e2227442e8eff4211880b03d2cca3aad5e7662bcbf73572c4d08e11cbd1ac34ec073be12

Download Submit
C:\Users\Admin\AppData\Local\Temp\56A.tmp.bat

Filesize
93B

MD5
7ffbca03512dfbb46e8dadd72787ca5b

SHA1
c5e41dc231762b6e8a13f66afb1a0ce8b9eab946

SHA256
1742a5a5bff09b9e63872b92f5f425553a6854cee71e40e40ac4e3f8239d12ae

SHA512
54066f5363a0fcc4b59f1fd855331ee67e35388c2690512bc2900fac1aacb2ecf1c878339c083132e33d2096e497f6a705cdc5e58c9248514df4465bb0450f24

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads