이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

General
Target

이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

Filesize

219KB

Completed

24-06-2020 13:29

Score
10 /10
MD5

1d1bd74c388d4dc2fc9e832d1571f7dd

SHA1

2c129b8fef3444c1e2b48aa9638611bb73b631f8

SHA256

bc225c5fe58ce3b42512871afdcc4513a870812b6b6477d8fe53bca77100660e

Malware Config

Extracted

Path C:\readme-warning.txt
Family makop
Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: akzhq615@protonmail.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

akzhq615@protonmail.com

Signatures 13

Filter: none

Collection
Credential Access
Defense Evasion
Execution
Impact
Persistence
  • Makop

    Description

    Ransomware family discovered by @VK_Intel in early 2020.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Deletes backup catalog
    wbadmin.exe

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line InterfaceFile DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    760wbadmin.exe
  • Modifies extensions of user files
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\DebugConnect.tiff이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe\""이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Drops file in Program Files directory
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Common Files\System\Ole DB\oledbvbs.inc이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00685_.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Common Files\System\msadc\handsafe.reg이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\security\local_policy.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen.css이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\LAUNCH.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\hy.txt이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.[5CA9C35C].[akzhq615@protonmail.com].makop이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00435_.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\FORMS\1033\SCDRESTS.ICO이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Common Files\System\ado\msadomd28.tlb이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_ON.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0299125.WMF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB.[5CA9C35C].[akzhq615@protonmail.com].makop이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1536vssadmin.exe
  • Modifies system certificate store
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Suspicious behavior: EnumeratesProcesses
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    Reported IOCs

    pidprocess
    1516이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exewbengine.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1768vssvc.exe
    Token: SeRestorePrivilege1768vssvc.exe
    Token: SeAuditPrivilege1768vssvc.exe
    Token: SeBackupPrivilege1528wbengine.exe
    Token: SeRestorePrivilege1528wbengine.exe
    Token: SeSecurityPrivilege1528wbengine.exe
    Token: SeIncreaseQuotaPrivilege2000WMIC.exe
    Token: SeSecurityPrivilege2000WMIC.exe
    Token: SeTakeOwnershipPrivilege2000WMIC.exe
    Token: SeLoadDriverPrivilege2000WMIC.exe
    Token: SeSystemProfilePrivilege2000WMIC.exe
    Token: SeSystemtimePrivilege2000WMIC.exe
    Token: SeProfSingleProcessPrivilege2000WMIC.exe
    Token: SeIncBasePriorityPrivilege2000WMIC.exe
    Token: SeCreatePagefilePrivilege2000WMIC.exe
    Token: SeBackupPrivilege2000WMIC.exe
    Token: SeRestorePrivilege2000WMIC.exe
    Token: SeShutdownPrivilege2000WMIC.exe
    Token: SeDebugPrivilege2000WMIC.exe
    Token: SeSystemEnvironmentPrivilege2000WMIC.exe
    Token: SeRemoteShutdownPrivilege2000WMIC.exe
    Token: SeUndockPrivilege2000WMIC.exe
    Token: SeManageVolumePrivilege2000WMIC.exe
    Token: 332000WMIC.exe
    Token: 342000WMIC.exe
    Token: 352000WMIC.exe
    Token: SeIncreaseQuotaPrivilege2000WMIC.exe
    Token: SeSecurityPrivilege2000WMIC.exe
    Token: SeTakeOwnershipPrivilege2000WMIC.exe
    Token: SeLoadDriverPrivilege2000WMIC.exe
    Token: SeSystemProfilePrivilege2000WMIC.exe
    Token: SeSystemtimePrivilege2000WMIC.exe
    Token: SeProfSingleProcessPrivilege2000WMIC.exe
    Token: SeIncBasePriorityPrivilege2000WMIC.exe
    Token: SeCreatePagefilePrivilege2000WMIC.exe
    Token: SeBackupPrivilege2000WMIC.exe
    Token: SeRestorePrivilege2000WMIC.exe
    Token: SeShutdownPrivilege2000WMIC.exe
    Token: SeDebugPrivilege2000WMIC.exe
    Token: SeSystemEnvironmentPrivilege2000WMIC.exe
    Token: SeRemoteShutdownPrivilege2000WMIC.exe
    Token: SeUndockPrivilege2000WMIC.exe
    Token: SeManageVolumePrivilege2000WMIC.exe
    Token: 332000WMIC.exe
    Token: 342000WMIC.exe
    Token: 352000WMIC.exe
  • Suspicious use of WriteProcessMemory
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1516 wrote to memory of 10441516이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe
    PID 1516 wrote to memory of 10441516이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe
    PID 1516 wrote to memory of 10441516이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe
    PID 1516 wrote to memory of 10441516이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe
    PID 1044 wrote to memory of 15361044cmd.exevssadmin.exe
    PID 1044 wrote to memory of 15361044cmd.exevssadmin.exe
    PID 1044 wrote to memory of 15361044cmd.exevssadmin.exe
    PID 1044 wrote to memory of 7601044cmd.exewbadmin.exe
    PID 1044 wrote to memory of 7601044cmd.exewbadmin.exe
    PID 1044 wrote to memory of 7601044cmd.exewbadmin.exe
    PID 1044 wrote to memory of 20001044cmd.exeWMIC.exe
    PID 1044 wrote to memory of 20001044cmd.exeWMIC.exe
    PID 1044 wrote to memory of 20001044cmd.exeWMIC.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe"
    Modifies extensions of user files
    Adds Run key to start application
    Drops file in Program Files directory
    Modifies system certificate store
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
      "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe" n1516
      PID:1036
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        Interacts with shadow copies
        PID:1536
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        Deletes backup catalog
        PID:760
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        Suspicious use of AdjustPrivilegeToken
        PID:2000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1768
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    Suspicious use of AdjustPrivilegeToken
    PID:1528
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    PID:1632
  • C:\Windows\System32\vds.exe
    C:\Windows\System32\vds.exe
    PID:1944
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • memory/760-6-0x0000000000000000-mapping.dmp

              • memory/1036-4-0x000000000028F000-0x0000000000290000-memory.dmp

              • memory/1036-5-0x0000000002400000-0x0000000002411000-memory.dmp

              • memory/1044-2-0x0000000000000000-mapping.dmp

              • memory/1516-1-0x00000000023A0000-0x00000000023B1000-memory.dmp

              • memory/1536-3-0x0000000000000000-mapping.dmp

              • memory/2000-7-0x0000000000000000-mapping.dmp