netwalker | b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
Size

282KB
MD5

e553d54a06009595a4ae269e9c96cbe0
SHA1

e762481794fa9096f4229f2eddfe0266bfc9f7ac
SHA256

b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435
SHA512

dba51a50f1b94ab8a7da9f0401993ba336b623afbbe9320a09f69fa89390889edca32bf237a9cc9f0b78e181790bbee005b43fc633feefc389bc4bc757f602b9
SSDEEP

3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft\Edge\316108-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .316108 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_316108: eyPo33hq1FM9D+9KB3xpf78IV4zHlaBWJQMWm8bS8zETFrsQCM +5sQcaWUZSz+GsoPUI9lROd5Ly4AVXODAkwT3FzT3/EiVa41Zj AixraDWA0yF/AR89e/jdWoDCg8VkUxW8HEGm8iNghNhMNlBGst LinBCPhMWk7ohr1+VtYfsAcY1Ao5yDZ6fuabx+U1qiCY74j41l GYt7yTSCWnOTfWZB7wY4NE9PwiByvJjbsGNRe+e9yGDlfye6CV hEK3R3CoTvNKb/53ATipgyP7CgRo/2dfO4Btg6iQ==}

URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Detected Netwalker Ransomware 6 IoCs

Detected unpacked Netwalker executable.

resource	yara_rule
behavioral2/memory/4080-1-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral2/memory/4080-4661-0x0000000000400000-0x0000000000448000-memory.dmp	netwalker_ransomware
behavioral2/memory/4080-4662-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral2/memory/4080-9128-0x0000000000400000-0x0000000000448000-memory.dmp	netwalker_ransomware
behavioral2/memory/4080-9139-0x0000000000400000-0x0000000000414000-memory.dmp	netwalker_ransomware
behavioral2/memory/4080-9138-0x0000000000400000-0x0000000000448000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Netwalker family
netwalker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6808) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListSettings.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-100.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\caller-id-illustration.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-200.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.Graphics.Canvas.winmd	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-100.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-150.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay.winmd	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Msg_Received.m4a	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\316108-Readme.txt	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-200.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Slider_Click_Sound.wma	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-200.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square310x310Logo.scale-200.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-white.png	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4244	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6748	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
Token: SeImpersonatePrivilege	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
Token: SeBackupPrivilege	4644	vssvc.exe
Token: SeRestorePrivilege	4644	vssvc.exe
Token: SeAuditPrivilege	4644	vssvc.exe
Token: SeDebugPrivilege	6748	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4244	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	82
PID 4080 wrote to memory of 4244	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	82
PID 4080 wrote to memory of 10316	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	95
PID 4080 wrote to memory of 10316	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	95
PID 4080 wrote to memory of 10316	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	95
PID 4080 wrote to memory of 5856	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	96
PID 4080 wrote to memory of 5856	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	96
PID 4080 wrote to memory of 5856	4080	b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe	96
PID 5856 wrote to memory of 6748	5856	cmd.exe	98
PID 5856 wrote to memory of 6748	5856	cmd.exe	98
PID 5856 wrote to memory of 6748	5856	cmd.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
"C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4244
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\316108-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F107.tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 4080
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\316108-Readme.txt

Filesize
1KB

MD5
2c20cafe74a59f347ab8d7578fe64ffb

SHA1
9901bf7fc470fa17faff0264de370ec6f72d871b

SHA256
f8632f14c8a8ba44a769f9e5f80fc47b8c4df1bd6318994daf82e75a1360df92

SHA512
00c526b2be43aca231d3eaa85bd4511e8a7466037f8c29b6dc6fe7f80bb590a3af4f064d07545e267941d9ac23ab80ad80f6f32c182d6f6f05aec0ed8accaccf

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
f73df88605e1e3446cc2a759010b94a2

SHA1
9b21765994a831adf19626adf301a034d8db39b9

SHA256
50b837bad6bf1467b49123ffcc160371af3788ec667a109f49bf00ebd39cd39e

SHA512
8e3fb91e1e4174c221dda54e5a4c9d5935f5c17edbd4bdbc7c4e6fd9c4f92636359e6b48d1952d5c8e74c06379d06f5ce25ddba13a3dd2b0c6c59ed78d249f90

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.316108

Filesize
412KB

MD5
fe26cbe2d076bcfc1595f9ba3dd7eb09

SHA1
844ca6c02cc9cad655ae0484a709c0dac1f23a5e

SHA256
264528a52eeacc21f2c0797299f8b4522950750b40ca9e5a31f8b9990c1d8f78

SHA512
b928b8e6ff07d1e770c9a4ea5e689eab796c1ea5abbd0364e2028db325fb250af2ce5ad6952d1c9a6851a510e16614551db15afe6ce6599e5f0190eab09e900c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.316108

Filesize
16KB

MD5
5ed69e67c094549226d76e00f420bad6

SHA1
ec79e2b4f966466b977c32a106df6c9d438defba

SHA256
0ac8c23452990420e5bca406070144cc52e33439976559886ff7a7837b9dff64

SHA512
19b6607ff278246a86d8da4454e6f07d86fd20b170b5a88db9ee1d8d64558aeecaccc510ab4ee1e02a203e8b67e888da8afb6f83700ca5e5751ab8f70c693fcf

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.316108

Filesize
506B

MD5
52d3337844ba438252cf072a0bd37033

SHA1
7efe1e00323ccf9685a4aac68d521097d3299d92

SHA256
c42055255b0b513d74c995ed453b84804fe5a97d4e62e72fcb32c3cc6ca4888a

SHA512
ab52ace4423c86ba00367b3fb8fa3fa96e944483017150865f3c8e9b45e80ddb80cacca1586038fb70596f7dbac88c793ee609a91d11a4a3d09a7ed6ab126ec5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.316108

Filesize
64KB

MD5
ae1b896e9bedd6182e4f6a5a85f96624

SHA1
c9338afed596bd61a460603a1020d6943bc25495

SHA256
f939f5cc724e1b374d41030376eb450958c3648e49db439d7594a33b8cb5a2b3

SHA512
7a5b15c1b36aeef0c4ff1dc897812c3b65ea8f71a9ae8876c7fc025c3dda0d106cd5a02f7133fbb64b180879e2e74917fb81615bdfe173932a009d2af52ac675

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.316108

Filesize
64KB

MD5
2c3b1a1000afb9a364713555324472b6

SHA1
30a0b995a7da812a7932b3a594b45f80e7c33521

SHA256
b410973822685debebc86fb00980838d80f034d0f3b44c7e0412d5e87ac1f153

SHA512
bed91dc95f3f3838c107a80946761c29224f3f87bda07f325f9d9bbea15be34d8a88e52eed62cf6265face611811a5391d0eba525a292f37bc3d881afb26e757

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url.316108

Filesize
489B

MD5
5d4c90736e5a35b4e4c98fe6921efd7c

SHA1
921bdc0d4ca07bd7928dd317e11567fb6467603e

SHA256
2757e4efe82dab76549c538c750823d9436b06fe18045362c58b48743945ea21

SHA512
1ecc8251c56884ed399fcbe6dedf630f0f77709b8873dc06d7ba0b0977615602c001eed5f497c929a3cbd652aae3e5b3944f9083e6bba4bfb7fd9447d7e2753b

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.316108

Filesize
1KB

MD5
02bd49c68e39a04ac5b76558a6d05840

SHA1
d19d3a46a8c5c4d2b12300db24f08da750472925

SHA256
7f201cc649dd1fdd7d4824705f6f9ab2694297495b06a9a11cf90c7f7dbad4f2

SHA512
e6f9d14a8beec534d059d2742af96af2978d2cc6d636b286e7e394ac25c93aa69b81e2bba3bed90024051c806f68558143ebcf4741a10c61a7972c215b2c0678

Download Submit
C:\Users\Admin\AppData\Local\Temp\F107.tmp.bat

Filesize
142B

MD5
d8cfe105121a5b7914204d6eb15a7129

SHA1
ad6f285ebd3f6c27d53c7525cc72801e3f4e3464

SHA256
003c1062c3e3ddb0aab528c99a7c54c067a49d77dbf1419b42a841c76dec9495

SHA512
063f1786a2d493a55c0bdc25391212b4f2beca9111c57b62f71a7e5b052f71144b0f356f17429606f562a995f37b19e33d126decdc877da7858f638e43ed908c

Download Submit
memory/4080-4662-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4080-4661-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4080-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4080-0-0x00000000005F0000-0x0000000000616000-memory.dmp

Filesize
152KB

Download
memory/4080-9128-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4080-9139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4080-9138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download