Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 05:01
Static task
static1
Behavioral task
behavioral1
Sample
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe
Resource
win10
General
-
Target
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe
-
Size
196KB
-
MD5
2b581dad6e832d91b1e03ad22ead74a3
-
SHA1
f9b81dba7907a7f95690a09eb4d71c74fd753f75
-
SHA256
ff91860e1c0ee0dda06ef8e326e2e284ee7ec0de97ee80348720c5ab637f8cf5
-
SHA512
2c9e568c6f104a406cad3fc68618d15f839833e01a791755223e7f6e55bc6dc656c56e74b1160c0923aaaef473e3aefcf782ee7d1ec7220a1cdb12d1c959afe5
Malware Config
Extracted
C:\readme-warning.txt
makop
akzhq615@protonmail.com
Signatures
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 3520 svchost.exe Token: SeTcbPrivilege 3520 svchost.exe Token: SeBackupPrivilege 3876 vssvc.exe Token: SeRestorePrivilege 3876 vssvc.exe Token: SeAuditPrivilege 3876 vssvc.exe Token: SeBackupPrivilege 1768 wbengine.exe Token: SeRestorePrivilege 1768 wbengine.exe Token: SeSecurityPrivilege 1768 wbengine.exe Token: SeIncreaseQuotaPrivilege 476 WMIC.exe Token: SeSecurityPrivilege 476 WMIC.exe Token: SeTakeOwnershipPrivilege 476 WMIC.exe Token: SeLoadDriverPrivilege 476 WMIC.exe Token: SeSystemProfilePrivilege 476 WMIC.exe Token: SeSystemtimePrivilege 476 WMIC.exe Token: SeProfSingleProcessPrivilege 476 WMIC.exe Token: SeIncBasePriorityPrivilege 476 WMIC.exe Token: SeCreatePagefilePrivilege 476 WMIC.exe Token: SeBackupPrivilege 476 WMIC.exe Token: SeRestorePrivilege 476 WMIC.exe Token: SeShutdownPrivilege 476 WMIC.exe Token: SeDebugPrivilege 476 WMIC.exe Token: SeSystemEnvironmentPrivilege 476 WMIC.exe Token: SeRemoteShutdownPrivilege 476 WMIC.exe Token: SeUndockPrivilege 476 WMIC.exe Token: SeManageVolumePrivilege 476 WMIC.exe Token: 33 476 WMIC.exe Token: 34 476 WMIC.exe Token: 35 476 WMIC.exe Token: 36 476 WMIC.exe Token: SeIncreaseQuotaPrivilege 476 WMIC.exe Token: SeSecurityPrivilege 476 WMIC.exe Token: SeTakeOwnershipPrivilege 476 WMIC.exe Token: SeLoadDriverPrivilege 476 WMIC.exe Token: SeSystemProfilePrivilege 476 WMIC.exe Token: SeSystemtimePrivilege 476 WMIC.exe Token: SeProfSingleProcessPrivilege 476 WMIC.exe Token: SeIncBasePriorityPrivilege 476 WMIC.exe Token: SeCreatePagefilePrivilege 476 WMIC.exe Token: SeBackupPrivilege 476 WMIC.exe Token: SeRestorePrivilege 476 WMIC.exe Token: SeShutdownPrivilege 476 WMIC.exe Token: SeDebugPrivilege 476 WMIC.exe Token: SeSystemEnvironmentPrivilege 476 WMIC.exe Token: SeRemoteShutdownPrivilege 476 WMIC.exe Token: SeUndockPrivilege 476 WMIC.exe Token: SeManageVolumePrivilege 476 WMIC.exe Token: 33 476 WMIC.exe Token: 34 476 WMIC.exe Token: 35 476 WMIC.exe Token: 36 476 WMIC.exe -
Processes:
wbadmin.exepid process 3936 wbadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 16018 IoCs
Processes:
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-100.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-125.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-80.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Icons\freecell.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.winmd μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-200.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_18.svg μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HelpIcon_contrast-black.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.Tests.ps1 μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.scale-125.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-black.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ly_16x11.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-100.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-48_altform-unplated.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Bark.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-fullcolor.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.ps1 μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-white.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.wink.scale-150.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-125.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bq_60x42.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ht_16x11.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\StartTile.hcp μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\prompts_en-GB_TTS.lua μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8498_20x20x32.png μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exepid process 2896 μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe 2896 μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 1160 OpenWith.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3820 vssadmin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe\"" μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
svchost.exeμ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.execmd.exedescription pid process target process PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2888 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 2896 wrote to memory of 3880 2896 μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe cmd.exe PID 2896 wrote to memory of 3880 2896 μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe cmd.exe PID 3880 wrote to memory of 3820 3880 cmd.exe vssadmin.exe PID 3880 wrote to memory of 3820 3880 cmd.exe vssadmin.exe PID 3880 wrote to memory of 3936 3880 cmd.exe wbadmin.exe PID 3880 wrote to memory of 3936 3880 cmd.exe wbadmin.exe PID 3880 wrote to memory of 476 3880 cmd.exe WMIC.exe PID 3880 wrote to memory of 476 3880 cmd.exe WMIC.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2788 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 3868 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 wrote to memory of 2980 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings OpenWith.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 3520 created 2896 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 created 2896 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 created 2896 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe PID 3520 created 2896 3520 svchost.exe μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n28962⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n28962⤵
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n28962⤵
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n28962⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
-
C:\Users\Admin\Desktop\readme-warning.txt
-
memory/476-6-0x0000000000000000-mapping.dmp
-
memory/2788-13-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/2788-12-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/2788-11-0x0000000000000000-mapping.dmp
-
memory/2888-8-0x0000000002890000-0x0000000002891000-memory.dmpFilesize
4KB
-
memory/2888-7-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/2888-2-0x0000000000000000-mapping.dmp
-
memory/2896-0-0x0000000000FAA000-0x0000000000FAB000-memory.dmpFilesize
4KB
-
memory/2896-1-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/2980-30-0x0000000000000000-mapping.dmp
-
memory/2980-31-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/2980-32-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/3820-4-0x0000000000000000-mapping.dmp
-
memory/3868-27-0x0000000000000000-mapping.dmp
-
memory/3868-28-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/3868-29-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/3880-3-0x0000000000000000-mapping.dmp
-
memory/3936-5-0x0000000000000000-mapping.dmp