netwalker | 60deeaf4df6f3ca05f445a72664c95dd6aa66584716253f7b86cef516e13016a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
Size

69KB
MD5

2e2f5fe8aba42ba7a4eb972e201be179
SHA1

5be60349686e59140f33a071c80405da8952ad30
SHA256

60deeaf4df6f3ca05f445a72664c95dd6aa66584716253f7b86cef516e13016a
SHA512

4039fd176206f7879a80aa9eaa0a338ac0f845ba1b446966c7577d367149f3163526aea143e5c68ed45ee6a22080431304a134b408464479c1b9140ab523db54
SSDEEP

1536:4xa8XQ408kLUiQKovO5bGU+hhOZuIWcz46ZOtByKbCKrQQipc:oa8XK8yJQKmO5bZkhOZu1cziByKbCk/

Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\A4D0B4-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .a4d0b4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_a4d0b4: SCLvdvoA1y6R8ioWYO5A5MxRXWdstYL/77VC1EaKE9/95mocOh gUvOo5cMdFoPD6w5NTtCq7RPbwRoPm8x8waYcg84b/8G4MjQc1 +CDlB+AhjnJTxWPkB488nCFBQI0UcBY+AggTXGQUbZK1tlwFQg 3/DEWb9bqOOAi8dJe6PDeypNqPjIsgLkhdraW7ePXvbyR6ON3O Tsqh5So53s6SgzCUA3y12aymxUMwXs2Nt0ayo/XAEC98rt/zWs +OW2k+Hmr7/hlTVih0kaC84v2Etn5lIEb0yQ+evg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Netwalker family
netwalker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7442) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
4132	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL027.XML	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ProjectStatusReport.potx	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jre7\release	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\A4D0B4-Readme.txt	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL077.XML	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143749.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01618_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Issues.accdt	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\A4D0B4-Readme.txt	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2608	vssadmin.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4844	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
Token: SeImpersonatePrivilege	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
Token: SeBackupPrivilege	7828	vssvc.exe
Token: SeRestorePrivilege	7828	vssvc.exe
Token: SeAuditPrivilege	7828	vssvc.exe
Token: SeDebugPrivilege	4844	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2608	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	31
PID 2756 wrote to memory of 2608	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	31
PID 2756 wrote to memory of 2608	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	31
PID 2756 wrote to memory of 2608	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	31
PID 2756 wrote to memory of 4100	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	36
PID 2756 wrote to memory of 4100	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	36
PID 2756 wrote to memory of 4100	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	36
PID 2756 wrote to memory of 4100	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	36
PID 2756 wrote to memory of 4132	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	37
PID 2756 wrote to memory of 4132	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	37
PID 2756 wrote to memory of 4132	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	37
PID 2756 wrote to memory of 4132	2756	2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe	37
PID 4132 wrote to memory of 4844	4132	cmd.exe	39
PID 4132 wrote to memory of 4844	4132	cmd.exe	39
PID 4132 wrote to memory of 4844	4132	cmd.exe	39
PID 4132 wrote to memory of 4844	4132	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2608
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\A4D0B4-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\6CD7.tmp.bat"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 2756
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W.a4d0b4

Filesize
229KB

MD5
43e224f5ca0e13113552c992cba1dd5b

SHA1
84d861384ab447b6338c41b86ffc4db2b366d53e

SHA256
ae4a010af3a60a6292c5adcc32064de2d13d9a84ffb95cbaa1c00c03c7f506f8

SHA512
f62887a3bb82e814b0fa2c371a4e44414ff563ab2e97934b8192ef5bbbd23d45580e4e654ae10fbbcbdccad1ac6f76a8d1537f8dc00003f56458c09333e8bda5

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D.a4d0b4

Filesize
12KB

MD5
c58b4eb15934f1b5d4abd58737e0113c

SHA1
2681f602a79759775b6dca07cc8bb439453a2821

SHA256
cafcb55769ed4c96dfee500f3814a2fca4f29872b05812de39dff3b0343c5f16

SHA512
d7e9a0dc145512ae2b56ab873e274088c175214305896734d6f40daffa74dd45497595b34221dfdcbb2ac5413128288ff0b53be277b4b480ac2029961d47e23f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W.a4d0b4

Filesize
229KB

MD5
c7d1b49222e4efb483413da167fdf8e3

SHA1
96ab60f535f40acbfa2edfef6c73fc3768b3fed7

SHA256
6e9cb303bdb2d8acf2ddbea6bd573294b64e3c5f5e084373c07357a3fd94a47d

SHA512
adf5040ce83d735fa7b9e9e597748ba982421fc9710b2d6b1ba818ee7a591b686946bf844f885c9f71063c601d27ff7fa30424f6b2e84c677b79a71e2d73a707

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W.a4d0b4

Filesize
229KB

MD5
86115876bfa3c3c75eea5bc985335b38

SHA1
a47b13afa06fe427cdef98ebbb1aaba59d581b77

SHA256
9dc98554e364ad1eebbb36315ecc4647d57c574dcefd6bb474feda1084d1acaa

SHA512
06a00dd77e75b4395abedf76bd2e132cdfaa4b2808592773556662ec3b8a20b586189f8472446ec6b53b62ce3c568a70317c1abeeb54179d934585b659f44f7d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W.a4d0b4

Filesize
357KB

MD5
c0fb43592045e94e8dbded36dc3632f7

SHA1
196079a23105dea081cacfb9297a59a7b4cee6aa

SHA256
883fe6a703298ed1541696a28adb5cea43f1b7f396ead8b495d0b333fb54e578

SHA512
d64af96b85935e6e0f89bfcf66e213297081e613f1f0001f3912e001c78385306856cc1e311585a6f3d730d0233d45f81e07e33e2637cbaaf110ab5361f56dc2

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll.a4d0b4

Filesize
48KB

MD5
81b127d0c93d6c71214b58113c0a6671

SHA1
df3a7b98734ce8496b7a888723b256a927b741db

SHA256
6ea4368b185c895d70661ada28b1b3c89f4eb877906f2435a5040ee9330c5782

SHA512
f4010b413277cf0de0592f7d70597bffc9f83f355ff496c2ce34a938403e4eda8ac2db0ca53b27a2c4d49be539ab1133747e6f734b0735c37b75ddba2e57406f

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll.a4d0b4

Filesize
2.7MB

MD5
2bbf43731900d77c0a23b9f4c69c31de

SHA1
84ced5a3b91a3dfc4b3c3e7a2ba11818117a81ff

SHA256
fb42a700bbb5af9490ba05453fb042801d3a36833c3c3f149169ac559bd66c32

SHA512
dc63bb2b2ef502989136b27d4209a3639675929d27843bd0b00e06602ca8d1477e74cae752ef7b28922b302305c688357ed2f8a304651d31f599e7137d91a434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\A4D0B4-Readme.txt

Filesize
1KB

MD5
7cb786c91204c56915e91db1077180e4

SHA1
8c3b71e053fffc15d2411a1c508cc14800d9cf46

SHA256
8291085bfede04a22453fe4d5903b526b7ae98f1ce931fe9631be8cd81f8faa7

SHA512
e98d039fbf16912bd1a20a10b98ae64b9d390e0f34c4d1ef82e06ad2c73728d19a871472d4546be00980d03ee14a33d51b7824d484c9b5ce7901c45ef69478fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CD7.tmp.bat

Filesize
127B

MD5
a176ec879fa861c6661a0dddcb9ee88d

SHA1
848750bb3c4985d938a531234a4a19c053226bc7

SHA256
677035c4b8c97c302a0c36fd646959f5a292ec1f945d0b576b2dcf68a10d7f00

SHA512
6703c1c8ef0f2106dc97896af91f2c776370577953fb921f7655d8fdea3f073d1801ad93cadd9d97d5a35a548027e9f6d5805ae5fa40f0e22b8a6bf3dcf91f38

Download Submit
memory/2756-6172-0x0000000000D70000-0x0000000000DED000-memory.dmp

Filesize
500KB

Download