Analysis
-
max time kernel
145s -
max time network
119s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-06-2020 06:16
Static task
static1
Behavioral task
behavioral1
Sample
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe
Resource
win10v200430
General
-
Target
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe
-
Size
34KB
-
MD5
bde2f27f6b935235725cff2033c8c6d0
-
SHA1
5c057698c23c706b20d632801955ea4c0fd8c8a6
-
SHA256
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c
-
SHA512
8c8e09e0ef74c604f3ed6f92d14c9aa051e32273f0f7258c414dc04ea1075241a128d9bdc5582e7a210e3129a1a05bfc4d5edbaa18493e5d158653ebb33d8dfe
Malware Config
Extracted
C:\readme-warning.txt
makop
origami7@firemail.cc
prosoft@tutanota.com
Signatures
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 420 svchost.exe Token: SeTcbPrivilege 420 svchost.exe Token: SeBackupPrivilege 1076 vssvc.exe Token: SeRestorePrivilege 1076 vssvc.exe Token: SeAuditPrivilege 1076 vssvc.exe Token: SeBackupPrivilege 1700 wbengine.exe Token: SeRestorePrivilege 1700 wbengine.exe Token: SeSecurityPrivilege 1700 wbengine.exe Token: SeIncreaseQuotaPrivilege 2420 WMIC.exe Token: SeSecurityPrivilege 2420 WMIC.exe Token: SeTakeOwnershipPrivilege 2420 WMIC.exe Token: SeLoadDriverPrivilege 2420 WMIC.exe Token: SeSystemProfilePrivilege 2420 WMIC.exe Token: SeSystemtimePrivilege 2420 WMIC.exe Token: SeProfSingleProcessPrivilege 2420 WMIC.exe Token: SeIncBasePriorityPrivilege 2420 WMIC.exe Token: SeCreatePagefilePrivilege 2420 WMIC.exe Token: SeBackupPrivilege 2420 WMIC.exe Token: SeRestorePrivilege 2420 WMIC.exe Token: SeShutdownPrivilege 2420 WMIC.exe Token: SeDebugPrivilege 2420 WMIC.exe Token: SeSystemEnvironmentPrivilege 2420 WMIC.exe Token: SeRemoteShutdownPrivilege 2420 WMIC.exe Token: SeUndockPrivilege 2420 WMIC.exe Token: SeManageVolumePrivilege 2420 WMIC.exe Token: 33 2420 WMIC.exe Token: 34 2420 WMIC.exe Token: 35 2420 WMIC.exe Token: 36 2420 WMIC.exe Token: SeIncreaseQuotaPrivilege 2420 WMIC.exe Token: SeSecurityPrivilege 2420 WMIC.exe Token: SeTakeOwnershipPrivilege 2420 WMIC.exe Token: SeLoadDriverPrivilege 2420 WMIC.exe Token: SeSystemProfilePrivilege 2420 WMIC.exe Token: SeSystemtimePrivilege 2420 WMIC.exe Token: SeProfSingleProcessPrivilege 2420 WMIC.exe Token: SeIncBasePriorityPrivilege 2420 WMIC.exe Token: SeCreatePagefilePrivilege 2420 WMIC.exe Token: SeBackupPrivilege 2420 WMIC.exe Token: SeRestorePrivilege 2420 WMIC.exe Token: SeShutdownPrivilege 2420 WMIC.exe Token: SeDebugPrivilege 2420 WMIC.exe Token: SeSystemEnvironmentPrivilege 2420 WMIC.exe Token: SeRemoteShutdownPrivilege 2420 WMIC.exe Token: SeUndockPrivilege 2420 WMIC.exe Token: SeManageVolumePrivilege 2420 WMIC.exe Token: 33 2420 WMIC.exe Token: 34 2420 WMIC.exe Token: 35 2420 WMIC.exe Token: 36 2420 WMIC.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 420 created 2536 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 created 2536 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
svchost.exe3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exedescription pid process target process PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 580 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 2536 wrote to memory of 764 2536 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe cmd.exe PID 2536 wrote to memory of 764 2536 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe cmd.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe PID 420 wrote to memory of 1956 420 svchost.exe 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe\"" 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exepid process 2536 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe 2536 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Processes:
wbadmin.exepid process 1488 wbadmin.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 400 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Drops file in Program Files directory 15992 IoCs
Processes:
3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.scale-200.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\AppxManifest.xml 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_cylinder.3mf 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\facepalm.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\la_16x11.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\178.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WideTile.scale-200.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\ui-strings.js 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-400.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar150x150.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-32.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-fullcolor.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\13h.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\ui-strings.js 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_BG-BG.respack 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-200.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\MedTile.scale-100.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_32x32x32.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.ps1 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\call.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-125.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tick.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1725_24x24x32.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common Programs\Microsoft Office Tools\Spreadsheet Compare.lnk 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bb_16x11.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sr_60x42.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-200.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\ui-strings.js 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\sakura.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-256.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-32.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-64.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_40x40x32.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\3.rsrc 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-200.png 3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe"C:\Users\Admin\AppData\Local\Temp\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe"1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe"C:\Users\Admin\AppData\Local\Temp\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe" n25362⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe"C:\Users\Admin\AppData\Local\Temp\3c173d419e145647921a60703704496f25b5348128aeeb293208e6558cac711c.exe" n25362⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)