Analysis
-
max time kernel
126s -
max time network
120s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
20-02-2020 12:54
Static task
static1
Behavioral task
behavioral1
Sample
ransom.exe.zip
Resource
win7v200217
Behavioral task
behavioral2
Sample
ransom.exe.zip
Resource
win10v200217
Behavioral task
behavioral3
Sample
TrustedInstaller.exe.new.exe
Resource
win7v200217
Behavioral task
behavioral4
Sample
TrustedInstaller.exe.new.exe
Resource
win10v200217
General
-
Target
TrustedInstaller.exe.new.exe
-
Size
210KB
-
MD5
98d24623bd39d9fcfa1c2431a9391a07
-
SHA1
113df2b19ccfa8d8ff8a2a5b72bda05fe517118a
-
SHA256
b0c1e89ebf16baa03b431b797aece48eeb3da6bb6eabf12fa6a3aefd93f5890e
-
SHA512
c114fa0bdf4b7694a07a8cbee268f53287f9dbb66d4f29817c581fb86d831be9e351770e9cb4a6d3dc3c36eee1e9594139f638242a7042b33928fae6d3e6ac53
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
puljaipopre1981@protonmail.com
viomukinam1978@protonmail.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1540 vssadmin.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
TrustedInstaller.exe.new.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run TrustedInstaller.exe.new.exe Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start" TrustedInstaller.exe.new.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1896 notepad.exe -
Discovering connected drives 3 TTPs 5 IoCs
Processes:
taskeng.exeTrustedInstaller.exe.new.exedescription ioc process File opened (read-only) \??\E: taskeng.exe File opened (read-only) \??\B: taskeng.exe File opened (read-only) \??\A: taskeng.exe File opened (read-only) \??\C: TrustedInstaller.exe.new.exe File opened (read-only) \??\F: taskeng.exe -
Drops file in Program Files directory 23588 IoCs
Processes:
taskeng.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\Document Themes 14\Opulent.thmx => C:\Program Files\Microsoft Office\Document Themes 14\Opulent.thmx.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar => C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF => C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG => C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe => C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\content-types.properties taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\Document Themes 14\Origin.thmx => C:\Program Files\Microsoft Office\Document Themes 14\Origin.thmx.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica => C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.192-9D1-41C taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\ACCTBOX.POC taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0199303.WMF.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV => C:\Program Files\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF => C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\CONVERT\OLADD.FAE.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js => C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga => C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.192-9D1-41C taskeng.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF => C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG taskeng.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF.192-9D1-41C taskeng.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\.zeppelin taskeng.exe File renamed C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo => C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.192-9D1-41C taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\javafx.properties taskeng.exe File renamed C:\Program Files\Java\jre7\lib\zi\America\Whitehorse => C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14832_.GIF.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif.192-9D1-41C taskeng.exe File deleted C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\.zeppelin taskeng.exe File created C:\Program Files\Microsoft Office\Templates\1033\.zeppelin taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.192-9D1-41C taskeng.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar => C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF.192-9D1-41C taskeng.exe File renamed C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP => C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP.192-9D1-41C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.192-9D1-41C taskeng.exe -
Loads dropped DLL 9 IoCs
Processes:
TrustedInstaller.exe.new.exetaskeng.exetaskeng.exepid process 1836 TrustedInstaller.exe.new.exe 1836 TrustedInstaller.exe.new.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1924 taskeng.exe 1924 taskeng.exe 1924 taskeng.exe -
Suspicious use of WriteProcessMemory 104 IoCs
Processes:
TrustedInstaller.exe.new.exetaskeng.exedescription pid process target process PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1860 1836 TrustedInstaller.exe.new.exe taskeng.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1836 wrote to memory of 1896 1836 TrustedInstaller.exe.new.exe notepad.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1924 1860 taskeng.exe taskeng.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1952 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1976 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2000 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 2024 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 1012 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 848 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 848 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 848 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 848 1860 taskeng.exe cmd.exe PID 1860 wrote to memory of 848 1860 taskeng.exe cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
taskeng.exetaskeng.exepid process 1860 taskeng.exe 1924 taskeng.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
TrustedInstaller.exe.new.exetaskeng.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1836 TrustedInstaller.exe.new.exe Token: SeDebugPrivilege 1836 TrustedInstaller.exe.new.exe Token: SeRestorePrivilege 1836 TrustedInstaller.exe.new.exe Token: SeBackupPrivilege 1836 TrustedInstaller.exe.new.exe Token: SeDebugPrivilege 1860 taskeng.exe Token: SeIncreaseQuotaPrivilege 1372 WMIC.exe Token: SeSecurityPrivilege 1372 WMIC.exe Token: SeTakeOwnershipPrivilege 1372 WMIC.exe Token: SeLoadDriverPrivilege 1372 WMIC.exe Token: SeSystemProfilePrivilege 1372 WMIC.exe Token: SeSystemtimePrivilege 1372 WMIC.exe Token: SeProfSingleProcessPrivilege 1372 WMIC.exe Token: SeIncBasePriorityPrivilege 1372 WMIC.exe Token: SeCreatePagefilePrivilege 1372 WMIC.exe Token: SeBackupPrivilege 1372 WMIC.exe Token: SeRestorePrivilege 1372 WMIC.exe Token: SeShutdownPrivilege 1372 WMIC.exe Token: SeDebugPrivilege 1372 WMIC.exe Token: SeSystemEnvironmentPrivilege 1372 WMIC.exe Token: SeRemoteShutdownPrivilege 1372 WMIC.exe Token: SeUndockPrivilege 1372 WMIC.exe Token: SeManageVolumePrivilege 1372 WMIC.exe Token: 33 1372 WMIC.exe Token: 34 1372 WMIC.exe Token: 35 1372 WMIC.exe Token: SeIncreaseQuotaPrivilege 1372 WMIC.exe Token: SeSecurityPrivilege 1372 WMIC.exe Token: SeTakeOwnershipPrivilege 1372 WMIC.exe Token: SeLoadDriverPrivilege 1372 WMIC.exe Token: SeSystemProfilePrivilege 1372 WMIC.exe Token: SeSystemtimePrivilege 1372 WMIC.exe Token: SeProfSingleProcessPrivilege 1372 WMIC.exe Token: SeIncBasePriorityPrivilege 1372 WMIC.exe Token: SeCreatePagefilePrivilege 1372 WMIC.exe Token: SeBackupPrivilege 1372 WMIC.exe Token: SeRestorePrivilege 1372 WMIC.exe Token: SeShutdownPrivilege 1372 WMIC.exe Token: SeDebugPrivilege 1372 WMIC.exe Token: SeSystemEnvironmentPrivilege 1372 WMIC.exe Token: SeRemoteShutdownPrivilege 1372 WMIC.exe Token: SeUndockPrivilege 1372 WMIC.exe Token: SeManageVolumePrivilege 1372 WMIC.exe Token: 33 1372 WMIC.exe Token: 34 1372 WMIC.exe Token: 35 1372 WMIC.exe Token: SeBackupPrivilege 336 vssvc.exe Token: SeRestorePrivilege 336 vssvc.exe Token: SeAuditPrivilege 336 vssvc.exe Token: SeDebugPrivilege 1860 taskeng.exe Token: SeDebugPrivilege 1860 taskeng.exe Token: SeRestorePrivilege 1860 taskeng.exe Token: SeBackupPrivilege 1860 taskeng.exe -
Suspicious behavior: EnumeratesProcesses 3366 IoCs
Processes:
taskeng.exepid process 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe 1860 taskeng.exe -
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe"1⤵
- Adds Run entry to start application
- Discovering connected drives
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start2⤵
- Discovering connected drives
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 03⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
C:\Users\Admin\Desktop\AddGroup.xsl.192-9D1-41C
-
C:\Users\Admin\Desktop\CheckpointRestore.vssm.192-9D1-41C
-
C:\Users\Admin\Desktop\ConnectWait.pptx.192-9D1-41C
-
C:\Users\Admin\Desktop\ConvertFromTrace.scf.192-9D1-41C
-
C:\Users\Admin\Desktop\EditExpand.3gp2.192-9D1-41C
-
C:\Users\Admin\Desktop\EditOut.au.192-9D1-41C
-
C:\Users\Admin\Desktop\ExpandDeny.wvx.192-9D1-41C
-
C:\Users\Admin\Desktop\FindRemove.rtf.192-9D1-41C
-
C:\Users\Admin\Desktop\GroupStop.ADTS.192-9D1-41C
-
C:\Users\Admin\Desktop\InitializeSplit.emf.192-9D1-41C
-
C:\Users\Admin\Desktop\InstallRename.xlsx.192-9D1-41C
-
C:\Users\Admin\Desktop\MountSync.avi.192-9D1-41C
-
C:\Users\Admin\Desktop\NewStop.cab.192-9D1-41C
-
C:\Users\Admin\Desktop\OutUninstall.pptm.192-9D1-41C
-
C:\Users\Admin\Desktop\ReceiveUnprotect.xlsm.192-9D1-41C
-
C:\Users\Admin\Desktop\RedoTrace.midi.192-9D1-41C
-
C:\Users\Admin\Desktop\RemoveConvertTo.MTS.192-9D1-41C
-
C:\Users\Admin\Desktop\RemoveUnpublish.pdf.192-9D1-41C
-
C:\Users\Admin\Desktop\RestartDismount.jpeg.192-9D1-41C
-
C:\Users\Admin\Desktop\RestoreExit.sql.192-9D1-41C
-
C:\Users\Admin\Desktop\SaveMerge.DVR.192-9D1-41C
-
C:\Users\Admin\Desktop\SyncCheckpoint.mpeg3.192-9D1-41C
-
C:\Users\Admin\Desktop\TestGroup.zip.192-9D1-41C
-
C:\Users\Admin\Desktop\TraceRename.cfg.192-9D1-41C
-
C:\Users\Admin\Desktop\UnlockRedo.wmf.192-9D1-41C
-
C:\Users\Admin\Desktop\UnregisterPop.mov.192-9D1-41C
-
C:\Users\Admin\Desktop\WaitClose.cab.192-9D1-41C
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe