Analysis Overview
SHA256
b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435
Threat Level: Known bad
The file b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe was found to be: Known bad.
Malicious Activity Summary
Detected Netwalker Ransomware
Netwalker Ransomware
Netwalker family
Deletes shadow copies
CryptOne packer
Renames multiple (6808) files with added filename extension
Renames multiple (7446) files with added filename extension
Deletes itself
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 15:45
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 15:45
Reported
2024-11-25 15:47
Platform
win7-20241023-en
Max time kernel
33s
Max time network
32s
Command Line
Signatures
Detected Netwalker Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwalker Ransomware
Netwalker family
Deletes shadow copies
Renames multiple (7446) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Casual.css | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300840.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\A58086-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01749_.GIF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0304933.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\A58086-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay.css | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\security\A58086-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187895.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\A58086-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\A58086-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00260_.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Perspective.thmx | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
"C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe"
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\A58086-Readme.txt"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\39F4.tmp.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1980
Network
Files
memory/1980-0-0x0000000000220000-0x0000000000246000-memory.dmp
memory/1980-1-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Public\Libraries\A58086-Readme.txt
| MD5 | 05d8347a9a5d53a487a7e9537c13f414 |
| SHA1 | e5f307c13b0486119fd58008dd56bd5da0097507 |
| SHA256 | 0b46eaa7abb5b1a6d51c3568a863eb86aacb3fe59fa917515b25a6d37f8537dd |
| SHA512 | c1a474bac3bd3d2dd470ce0f4f5746edd851e1c2385f3a056fb4efe78c4347ee86871ea6bf668a93f455b817561715f52c3f137565acfdb0388a3989b499d455 |
memory/1980-1653-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1980-1812-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1980-4971-0x0000000000400000-0x0000000000448000-memory.dmp
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D.a58086
| MD5 | 82d76a8e13826fb1f0eba8c91cb75cd5 |
| SHA1 | ce7623c56c32eb7a43d63b058a0b0f7ddf410b15 |
| SHA256 | 05cc537cf621588383267d207574f0d4929fb329de1bf04b4cb9e228b5a0bba0 |
| SHA512 | 4439cb56baedb760bc1462b8d5e91976e9355285f473edbee3b04a0b838b20aa23b9b7f24b11128f4bc7121de6b54ba205f85f89bc5ece5bdc946604eaad1d7c |
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D.a58086
| MD5 | 74b41582b3a8ac69e72d9c0d360e28f0 |
| SHA1 | 471445a440c743aef80f2d7c611b8ff4621e87f6 |
| SHA256 | 64899aec6562216893f4da66268aee4fafdf6f223a775569015485c0a8a18852 |
| SHA512 | 39dc3426466b7f7ca348984359465517155487ff8749b6e28f5e0ad698700e95efc8a452b93a5635677935a1cb861f40c6b8b231cb54387f8627973ca7c2d298 |
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D.a58086
| MD5 | 61e6ebf23272e879a391ec05b1d6504f |
| SHA1 | 3a2d5bcae612317aad0479146f9b0b5a1cfe1b31 |
| SHA256 | fc485ed85b3bca20d1e81d49c9779ddc47783b8f30ae6bf15d78e159de758a8e |
| SHA512 | 739a28982e80b18a15f3216c49967c9c8781a8c4000a6cb7356acc985fe0db0686db06b4c148f44e2f4f4cef0265214320dad413abd5978ef05ac7fb2334f273 |
memory/1980-8272-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\39F4.tmp.bat
| MD5 | 4286ef35c233b78458d304786feafb04 |
| SHA1 | f324828720b930941e044a6c7057dce9df620b54 |
| SHA256 | c0c32d4f96fc99c61b2530974e076750c126e50c6a3429ca668454a0b9e3259d |
| SHA512 | 95023413c77f56ecad8d197058a7380c530a6589cf98ce5056d1d564e98151bdfccf674d8e5d0463e85042b595eb9979f4f6fffafac94d05e639895008304572 |
memory/1980-8295-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1980-8294-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 15:45
Reported
2024-11-25 15:47
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Detected Netwalker Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwalker Ransomware
Netwalker family
Deletes shadow copies
Renames multiple (6808) files with added filename extension
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListSettings.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\caller-id-illustration.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\playlist\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.Graphics.Canvas.winmd | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-100.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay.winmd | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Msg_Received.m4a | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\316108-Readme.txt | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Slider_Click_Sound.wma | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square310x310Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe
"C:\Users\Admin\AppData\Local\Temp\b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe"
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\316108-Readme.txt"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F107.tmp.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4080
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4080-0-0x00000000005F0000-0x0000000000616000-memory.dmp
memory/4080-1-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\316108-Readme.txt
| MD5 | 2c20cafe74a59f347ab8d7578fe64ffb |
| SHA1 | 9901bf7fc470fa17faff0264de370ec6f72d871b |
| SHA256 | f8632f14c8a8ba44a769f9e5f80fc47b8c4df1bd6318994daf82e75a1360df92 |
| SHA512 | 00c526b2be43aca231d3eaa85bd4511e8a7466037f8c29b6dc6fe7f80bb590a3af4f064d07545e267941d9ac23ab80ad80f6f32c182d6f6f05aec0ed8accaccf |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
| MD5 | f73df88605e1e3446cc2a759010b94a2 |
| SHA1 | 9b21765994a831adf19626adf301a034d8db39b9 |
| SHA256 | 50b837bad6bf1467b49123ffcc160371af3788ec667a109f49bf00ebd39cd39e |
| SHA512 | 8e3fb91e1e4174c221dda54e5a4c9d5935f5c17edbd4bdbc7c4e6fd9c4f92636359e6b48d1952d5c8e74c06379d06f5ce25ddba13a3dd2b0c6c59ed78d249f90 |
memory/4080-4661-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4080-4662-0x0000000000400000-0x0000000000414000-memory.dmp
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.316108
| MD5 | 5ed69e67c094549226d76e00f420bad6 |
| SHA1 | ec79e2b4f966466b977c32a106df6c9d438defba |
| SHA256 | 0ac8c23452990420e5bca406070144cc52e33439976559886ff7a7837b9dff64 |
| SHA512 | 19b6607ff278246a86d8da4454e6f07d86fd20b170b5a88db9ee1d8d64558aeecaccc510ab4ee1e02a203e8b67e888da8afb6f83700ca5e5751ab8f70c693fcf |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url.316108
| MD5 | 5d4c90736e5a35b4e4c98fe6921efd7c |
| SHA1 | 921bdc0d4ca07bd7928dd317e11567fb6467603e |
| SHA256 | 2757e4efe82dab76549c538c750823d9436b06fe18045362c58b48743945ea21 |
| SHA512 | 1ecc8251c56884ed399fcbe6dedf630f0f77709b8873dc06d7ba0b0977615602c001eed5f497c929a3cbd652aae3e5b3944f9083e6bba4bfb7fd9447d7e2753b |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.316108
| MD5 | 52d3337844ba438252cf072a0bd37033 |
| SHA1 | 7efe1e00323ccf9685a4aac68d521097d3299d92 |
| SHA256 | c42055255b0b513d74c995ed453b84804fe5a97d4e62e72fcb32c3cc6ca4888a |
| SHA512 | ab52ace4423c86ba00367b3fb8fa3fa96e944483017150865f3c8e9b45e80ddb80cacca1586038fb70596f7dbac88c793ee609a91d11a4a3d09a7ed6ab126ec5 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.316108
| MD5 | fe26cbe2d076bcfc1595f9ba3dd7eb09 |
| SHA1 | 844ca6c02cc9cad655ae0484a709c0dac1f23a5e |
| SHA256 | 264528a52eeacc21f2c0797299f8b4522950750b40ca9e5a31f8b9990c1d8f78 |
| SHA512 | b928b8e6ff07d1e770c9a4ea5e689eab796c1ea5abbd0364e2028db325fb250af2ce5ad6952d1c9a6851a510e16614551db15afe6ce6599e5f0190eab09e900c |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.316108
| MD5 | ae1b896e9bedd6182e4f6a5a85f96624 |
| SHA1 | c9338afed596bd61a460603a1020d6943bc25495 |
| SHA256 | f939f5cc724e1b374d41030376eb450958c3648e49db439d7594a33b8cb5a2b3 |
| SHA512 | 7a5b15c1b36aeef0c4ff1dc897812c3b65ea8f71a9ae8876c7fc025c3dda0d106cd5a02f7133fbb64b180879e2e74917fb81615bdfe173932a009d2af52ac675 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.316108
| MD5 | 2c3b1a1000afb9a364713555324472b6 |
| SHA1 | 30a0b995a7da812a7932b3a594b45f80e7c33521 |
| SHA256 | b410973822685debebc86fb00980838d80f034d0f3b44c7e0412d5e87ac1f153 |
| SHA512 | bed91dc95f3f3838c107a80946761c29224f3f87bda07f325f9d9bbea15be34d8a88e52eed62cf6265face611811a5391d0eba525a292f37bc3d881afb26e757 |
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.316108
| MD5 | 02bd49c68e39a04ac5b76558a6d05840 |
| SHA1 | d19d3a46a8c5c4d2b12300db24f08da750472925 |
| SHA256 | 7f201cc649dd1fdd7d4824705f6f9ab2694297495b06a9a11cf90c7f7dbad4f2 |
| SHA512 | e6f9d14a8beec534d059d2742af96af2978d2cc6d636b286e7e394ac25c93aa69b81e2bba3bed90024051c806f68558143ebcf4741a10c61a7972c215b2c0678 |
memory/4080-9128-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4080-9139-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4080-9138-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F107.tmp.bat
| MD5 | d8cfe105121a5b7914204d6eb15a7129 |
| SHA1 | ad6f285ebd3f6c27d53c7525cc72801e3f4e3464 |
| SHA256 | 003c1062c3e3ddb0aab528c99a7c54c067a49d77dbf1419b42a841c76dec9495 |
| SHA512 | 063f1786a2d493a55c0bdc25391212b4f2beca9111c57b62f71a7e5b052f71144b0f356f17429606f562a995f37b19e33d126decdc877da7858f638e43ed908c |