Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
20-02-2020 12:54
Static task
static1
Behavioral task
behavioral1
Sample
ransom.exe.zip
Resource
win7v200217
Behavioral task
behavioral2
Sample
ransom.exe.zip
Resource
win10v200217
Behavioral task
behavioral3
Sample
TrustedInstaller.exe.new.exe
Resource
win7v200217
Behavioral task
behavioral4
Sample
TrustedInstaller.exe.new.exe
Resource
win10v200217
General
-
Target
TrustedInstaller.exe.new.exe
-
Size
210KB
-
MD5
98d24623bd39d9fcfa1c2431a9391a07
-
SHA1
113df2b19ccfa8d8ff8a2a5b72bda05fe517118a
-
SHA256
b0c1e89ebf16baa03b431b797aece48eeb3da6bb6eabf12fa6a3aefd93f5890e
-
SHA512
c114fa0bdf4b7694a07a8cbee268f53287f9dbb66d4f29817c581fb86d831be9e351770e9cb4a6d3dc3c36eee1e9594139f638242a7042b33928fae6d3e6ac53
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
puljaipopre1981@protonmail.com
viomukinam1978@protonmail.com
Signatures
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
TrustedInstaller.exe.new.exelsass.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1592 TrustedInstaller.exe.new.exe Token: SeDebugPrivilege 1592 TrustedInstaller.exe.new.exe Token: SeDebugPrivilege 3940 lsass.exe Token: SeIncreaseQuotaPrivilege 4048 WMIC.exe Token: SeSecurityPrivilege 4048 WMIC.exe Token: SeTakeOwnershipPrivilege 4048 WMIC.exe Token: SeLoadDriverPrivilege 4048 WMIC.exe Token: SeSystemProfilePrivilege 4048 WMIC.exe Token: SeSystemtimePrivilege 4048 WMIC.exe Token: SeProfSingleProcessPrivilege 4048 WMIC.exe Token: SeIncBasePriorityPrivilege 4048 WMIC.exe Token: SeCreatePagefilePrivilege 4048 WMIC.exe Token: SeBackupPrivilege 4048 WMIC.exe Token: SeRestorePrivilege 4048 WMIC.exe Token: SeShutdownPrivilege 4048 WMIC.exe Token: SeDebugPrivilege 4048 WMIC.exe Token: SeSystemEnvironmentPrivilege 4048 WMIC.exe Token: SeRemoteShutdownPrivilege 4048 WMIC.exe Token: SeUndockPrivilege 4048 WMIC.exe Token: SeManageVolumePrivilege 4048 WMIC.exe Token: 33 4048 WMIC.exe Token: 34 4048 WMIC.exe Token: 35 4048 WMIC.exe Token: 36 4048 WMIC.exe Token: SeIncreaseQuotaPrivilege 4048 WMIC.exe Token: SeSecurityPrivilege 4048 WMIC.exe Token: SeTakeOwnershipPrivilege 4048 WMIC.exe Token: SeLoadDriverPrivilege 4048 WMIC.exe Token: SeSystemProfilePrivilege 4048 WMIC.exe Token: SeSystemtimePrivilege 4048 WMIC.exe Token: SeProfSingleProcessPrivilege 4048 WMIC.exe Token: SeIncBasePriorityPrivilege 4048 WMIC.exe Token: SeCreatePagefilePrivilege 4048 WMIC.exe Token: SeBackupPrivilege 4048 WMIC.exe Token: SeRestorePrivilege 4048 WMIC.exe Token: SeShutdownPrivilege 4048 WMIC.exe Token: SeDebugPrivilege 4048 WMIC.exe Token: SeSystemEnvironmentPrivilege 4048 WMIC.exe Token: SeRemoteShutdownPrivilege 4048 WMIC.exe Token: SeUndockPrivilege 4048 WMIC.exe Token: SeManageVolumePrivilege 4048 WMIC.exe Token: 33 4048 WMIC.exe Token: 34 4048 WMIC.exe Token: 35 4048 WMIC.exe Token: 36 4048 WMIC.exe Token: SeBackupPrivilege 3972 vssvc.exe Token: SeRestorePrivilege 3972 vssvc.exe Token: SeAuditPrivilege 3972 vssvc.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3576 notepad.exe -
Discovering connected drives 3 TTPs 5 IoCs
Processes:
TrustedInstaller.exe.new.exelsass.exedescription ioc process File opened (read-only) \??\C: TrustedInstaller.exe.new.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\A: lsass.exe -
Drops file in Program Files directory 26424 IoCs
Processes:
lsass.exedescription ioc process File renamed C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml => C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.31C-51A-E85 lsass.exe File renamed C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml => C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.31C-51A-E85 lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\.zeppelin lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js.31C-51A-E85 lsass.exe File renamed C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar => C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.31C-51A-E85 lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg.31C-51A-E85 lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg.31C-51A-E85 lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\ui-strings.js => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\ui-strings.js.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File deleted C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\.zeppelin lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl lsass.exe File renamed C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX => C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.31C-51A-E85 lsass.exe File renamed C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar => C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.31C-51A-E85 lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar lsass.exe File renamed C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin => C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.31C-51A-E85 lsass.exe File deleted C:\Program Files\VideoLAN\VLC\locale\brx\.zeppelin lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.31C-51A-E85 lsass.exe File renamed C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms => C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.31C-51A-E85 lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent@2x.png.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js.31C-51A-E85 lsass.exe File renamed C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms => C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui lsass.exe File renamed C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_partialselected-default_18.svg => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_partialselected-default_18.svg.31C-51A-E85 lsass.exe File deleted C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\.zeppelin lsass.exe File deleted C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\.zeppelin lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark-2x.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.31C-51A-E85 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.31C-51A-E85 lsass.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg.31C-51A-E85 lsass.exe File renamed C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf => C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png.31C-51A-E85 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\.zeppelin lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\.zeppelin lsass.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2028 vssadmin.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
TrustedInstaller.exe.new.exelsass.execmd.execmd.exedescription pid process target process PID 1592 wrote to memory of 3940 1592 TrustedInstaller.exe.new.exe lsass.exe PID 1592 wrote to memory of 3940 1592 TrustedInstaller.exe.new.exe lsass.exe PID 1592 wrote to memory of 3940 1592 TrustedInstaller.exe.new.exe lsass.exe PID 1592 wrote to memory of 3576 1592 TrustedInstaller.exe.new.exe notepad.exe PID 1592 wrote to memory of 3576 1592 TrustedInstaller.exe.new.exe notepad.exe PID 1592 wrote to memory of 3576 1592 TrustedInstaller.exe.new.exe notepad.exe PID 1592 wrote to memory of 3576 1592 TrustedInstaller.exe.new.exe notepad.exe PID 1592 wrote to memory of 3576 1592 TrustedInstaller.exe.new.exe notepad.exe PID 1592 wrote to memory of 3576 1592 TrustedInstaller.exe.new.exe notepad.exe PID 3940 wrote to memory of 4024 3940 lsass.exe lsass.exe PID 3940 wrote to memory of 4024 3940 lsass.exe lsass.exe PID 3940 wrote to memory of 4024 3940 lsass.exe lsass.exe PID 3940 wrote to memory of 2028 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 2028 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 2028 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3100 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3100 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3100 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3080 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3080 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3080 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3876 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3876 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3876 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3920 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3920 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3920 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3844 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3844 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3844 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3716 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3716 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 3716 3940 lsass.exe cmd.exe PID 3716 wrote to memory of 4048 3716 cmd.exe WMIC.exe PID 3716 wrote to memory of 4048 3716 cmd.exe WMIC.exe PID 3716 wrote to memory of 4048 3716 cmd.exe WMIC.exe PID 3940 wrote to memory of 2900 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 2900 3940 lsass.exe cmd.exe PID 3940 wrote to memory of 2900 3940 lsass.exe cmd.exe PID 2900 wrote to memory of 2028 2900 cmd.exe vssadmin.exe PID 2900 wrote to memory of 2028 2900 cmd.exe vssadmin.exe PID 2900 wrote to memory of 2028 2900 cmd.exe vssadmin.exe -
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 3940 lsass.exe 4024 lsass.exe -
Suspicious behavior: EnumeratesProcesses 8144 IoCs
Processes:
lsass.exepid process 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe 3940 lsass.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
TrustedInstaller.exe.new.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" TrustedInstaller.exe.new.exe Key created \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\Run TrustedInstaller.exe.new.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Drops file in Program Files directory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service