Analysis
-
max time kernel
124s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
23-05-2020 09:47
Static task
static1
Behavioral task
behavioral1
Sample
2020-05-22_17-36-19.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
2020-05-22_17-36-19.bin.exe
Resource
win10v200430
General
-
Target
2020-05-22_17-36-19.bin.exe
-
Size
448KB
-
MD5
412568f078ec521bdba6ae14b9f36823
-
SHA1
3e5a80fe286834f6d5f0aaf014a420ec40ebad7d
-
SHA256
e2c2a80cb4ecc511f30d72b3487cb9023b40a25f6bbe07a92f47230fb76544f4
-
SHA512
9e979c3873778991bfd05b22370fbab32f7ec16dd78b8c3f2b0f54ccfd26fcdfc84f881bdf4414d24228ad2a19ef00ecb062dd5e9e2e243966f1276698f1ff85
Malware Config
Signatures
-
Drops file in Program Files directory 28 IoCs
Processes:
2020-05-22_17-36-19.bin.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Mozilla Firefox\precomplete.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Mozilla Firefox\removed-files.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files (x86)\Google\Chrome\Application\master_preferences.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\master_preferences.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.corona-lock 2020-05-22_17-36-19.bin.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
2020-05-22_17-36-19.bin.exepid process 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe 2040 2020-05-22_17-36-19.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeIncreaseQuotaPrivilege 1964 wmic.exe Token: SeSecurityPrivilege 1964 wmic.exe Token: SeTakeOwnershipPrivilege 1964 wmic.exe Token: SeLoadDriverPrivilege 1964 wmic.exe Token: SeSystemProfilePrivilege 1964 wmic.exe Token: SeSystemtimePrivilege 1964 wmic.exe Token: SeProfSingleProcessPrivilege 1964 wmic.exe Token: SeIncBasePriorityPrivilege 1964 wmic.exe Token: SeCreatePagefilePrivilege 1964 wmic.exe Token: SeBackupPrivilege 1964 wmic.exe Token: SeRestorePrivilege 1964 wmic.exe Token: SeShutdownPrivilege 1964 wmic.exe Token: SeDebugPrivilege 1964 wmic.exe Token: SeSystemEnvironmentPrivilege 1964 wmic.exe Token: SeRemoteShutdownPrivilege 1964 wmic.exe Token: SeUndockPrivilege 1964 wmic.exe Token: SeManageVolumePrivilege 1964 wmic.exe Token: 33 1964 wmic.exe Token: 34 1964 wmic.exe Token: 35 1964 wmic.exe Token: 36 1964 wmic.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2020-05-22_17-36-19.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2020-05-22_17-36-19.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
2020-05-22_17-36-19.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run 2020-05-22_17-36-19.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2020-05-22_17-36-19.bin.exe\" e" 2020-05-22_17-36-19.bin.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
2020-05-22_17-36-19.bin.exedescription pid process target process PID 2040 wrote to memory of 2156 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2156 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2156 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3472 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3472 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3472 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 4044 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 4044 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 4044 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3880 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3880 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3880 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3864 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3864 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3864 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 4004 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 4004 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 4004 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3356 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3356 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 3356 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 760 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 760 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 760 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1852 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1852 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1852 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 864 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 864 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 864 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2528 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2528 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2528 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1248 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1248 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1248 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2476 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2476 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 2476 2040 2020-05-22_17-36-19.bin.exe vssadmin.exe PID 2040 wrote to memory of 1964 2040 2020-05-22_17-36-19.bin.exe wmic.exe PID 2040 wrote to memory of 1964 2040 2020-05-22_17-36-19.bin.exe wmic.exe PID 2040 wrote to memory of 1964 2040 2020-05-22_17-36-19.bin.exe wmic.exe PID 2040 wrote to memory of 2616 2040 2020-05-22_17-36-19.bin.exe cmd.exe PID 2040 wrote to memory of 2616 2040 2020-05-22_17-36-19.bin.exe cmd.exe PID 2040 wrote to memory of 2616 2040 2020-05-22_17-36-19.bin.exe cmd.exe -
Drops file in Windows directory 44 IoCs
Processes:
2020-05-22_17-36-19.bin.exedescription ioc process File created C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Boot\PCAT\bootmgr.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Boot\DVD\EFI\BCD.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Boot\DVD\PCAT\BCD.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Resources\Maps\mwconfig_client.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Resources\Maps\mwconfig_client.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Boot\PCAT\bootnxt.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3e009a64-65d7-465c-9098-f2673dd3f416.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Panther\setupinfo.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3e009a64-65d7-465c-9098-f2673dd3f416.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\Panther\setupinfo.corona-lock 2020-05-22_17-36-19.bin.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.corona-lock 2020-05-22_17-36-19.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.corona-lock 2020-05-22_17-36-19.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2476 vssadmin.exe 3472 vssadmin.exe 4004 vssadmin.exe 3356 vssadmin.exe 864 vssadmin.exe 760 vssadmin.exe 1852 vssadmin.exe 2528 vssadmin.exe 1248 vssadmin.exe 2156 vssadmin.exe 4044 vssadmin.exe 3880 vssadmin.exe 3864 vssadmin.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe"C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2020-0~1.EXE >> NUL2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service