Analysis
-
max time kernel
302s -
max time network
202s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
25-05-2020 13:27
Static task
static1
Behavioral task
behavioral1
Sample
MetadataSys.exe
Resource
win7v200430
General
-
Target
MetadataSys.exe
-
Size
348KB
-
MD5
a705103021bfd908ff3baf3cd7f0d01e
-
SHA1
0e618149c4ec7e46e6f32a0aa042c74dc73ca828
-
SHA256
91e573ed92344a8eb7110e6af97f10b9f848f25f9f1a0fe411e2eef39e3dc342
-
SHA512
da72065e999745749fa89a0fa9be72fb89d0ac3fa54e4274732693e355ad2228ed60bede1092c6e691f6e88e19708de7e7672caba2886abbd79ec761c7faf0c6
Malware Config
Extracted
C:\readme-warning.txt
makop
KILLYOUASS@protonmail.com
killyouass@horsefucker.org
Signatures
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1028 vssvc.exe Token: SeRestorePrivilege 1028 vssvc.exe Token: SeAuditPrivilege 1028 vssvc.exe Token: SeBackupPrivilege 1316 wbengine.exe Token: SeRestorePrivilege 1316 wbengine.exe Token: SeSecurityPrivilege 1316 wbengine.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe -
Processes:
wbadmin.exepid process 1716 wbadmin.exe -
Drops file in Windows directory 304 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\webAdminButtonRow.master RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_perf2.ini RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof.uninstall RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardInit.ascx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\ServiceModelEvents.dll.mui RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.targets RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_hightrust.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_mediumtrust.config.default RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\ServiceModelPerformanceCounters.dll.mui RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_GlobalResources\GlobalResources.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.h RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_mediumtrust.config.default RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_minimaltrust.config.default RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonSymbols.h RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild\Microsoft.Build.Commontypes.xsd RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_perf.h RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\Microsoft.Windows.ApplicationServer.Applications.dll.mui RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\normnfd.nlp RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Xaml.targets RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlPersistenceProviderLogic.sql RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Schema.sql RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Data.Entity.targets RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\webAdminNoNavBar.master RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\ServiceModelRegUI.dll.mui RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters_v2.ini RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_hightrust.config.default RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_minimaltrust.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof.uninstall RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe.config RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\corperfmonsymbols.ini RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\blackberry.browser RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\ucbrowser.browser RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.ServiceModel.targets RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild\Microsoft.Build.Core.xsd RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\AppSetting.ascx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.resx RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
MetadataSys.exeRegAsm.exedescription pid process target process PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 824 wrote to memory of 1284 824 MetadataSys.exe RegAsm.exe PID 1284 wrote to memory of 640 1284 RegAsm.exe cmd.exe PID 1284 wrote to memory of 640 1284 RegAsm.exe cmd.exe PID 1284 wrote to memory of 640 1284 RegAsm.exe cmd.exe PID 1284 wrote to memory of 640 1284 RegAsm.exe cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MetadataSys.exedescription pid process target process PID 824 set thread context of 1284 824 MetadataSys.exe RegAsm.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1752 bcdedit.exe 1744 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 380 vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 9170 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF RegAsm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo RegAsm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css RegAsm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif RegAsm.exe File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF RegAsm.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp RegAsm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0150150.WMF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0229385.WMF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML RegAsm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png RegAsm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0213449.WMF RegAsm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png RegAsm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\mset7ge.kic RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF RegAsm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png RegAsm.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png RegAsm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf.[6BB2D8A2].[KILLYOUASS@protonmail.com].makop RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSCOL11.PPD RegAsm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF RegAsm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua RegAsm.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Taipei RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML RegAsm.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg RegAsm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02426_.WMF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GRAPH_COL.HXC RegAsm.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UDT RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 1284 RegAsm.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\"" RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetadataSys.exe"C:\Users\Admin\AppData\Local\Temp\MetadataSys.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" n12843⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" n12843⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/824-0-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/824-1-0x000000000054F558-0x000000000058CB58-disk.dmpFilesize
245KB
-
memory/1284-9-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1284-10-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB