이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

General
Target

이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

Filesize

219KB

Completed

24-06-2020 13:29

Score
10 /10
MD5

1d1bd74c388d4dc2fc9e832d1571f7dd

SHA1

2c129b8fef3444c1e2b48aa9638611bb73b631f8

SHA256

bc225c5fe58ce3b42512871afdcc4513a870812b6b6477d8fe53bca77100660e

Malware Config

Extracted

Path C:\readme-warning.txt
Family makop
Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: akzhq615@protonmail.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

akzhq615@protonmail.com

Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
  • Makop

    Description

    Ransomware family discovered by @VK_Intel in early 2020.

  • Suspicious use of NtCreateUserProcessOtherParentProcess
    svchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3036 created 29643036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 created 29643036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 created 29643036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 created 29643036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Deletes backup catalog
    wbadmin.exe

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line InterfaceFile DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    2960wbadmin.exe
  • Modifies extensions of user files
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\ProtectUnblock.tiff이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe\""이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Drops file in Program Files directory
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\is_16x11.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\qa_16x11.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20_altform-unplated.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\ui-strings.js이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\desktop_acrobat_logo.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeDownload\download_bar_base.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\UX\Controls\Xbox360PurchaseControl\Xbox360PurchaseHostPage.html이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\ui-strings.js이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Templates\1033\TimelessResume.dotx이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-colorize.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-150.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLargeTile.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleMedTile.scale-100.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1725_40x40x32.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6478_40x40x32.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-colorize.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\12.rsrc이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\resources.pri이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\Movie-TVStoreLogo.scale-125.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-24.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Orange Circles.htm이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sd_60x42.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-200.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\css\main.css이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-240.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-300.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_KO-KR.respack이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectAppList.scale-100.png이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Checks SCSI registry key(s)
    vds.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000vds.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyNamevds.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000vds.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyNamevds.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    3916vssadmin.exe
  • Suspicious behavior: EnumeratesProcesses
    이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe

    Reported IOCs

    pidprocess
    2964이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    2964이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
  • Suspicious use of AdjustPrivilegeToken
    svchost.exevssvc.exewbengine.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeTcbPrivilege3036svchost.exe
    Token: SeTcbPrivilege3036svchost.exe
    Token: SeBackupPrivilege3800vssvc.exe
    Token: SeRestorePrivilege3800vssvc.exe
    Token: SeAuditPrivilege3800vssvc.exe
    Token: SeBackupPrivilege3000wbengine.exe
    Token: SeRestorePrivilege3000wbengine.exe
    Token: SeSecurityPrivilege3000wbengine.exe
    Token: SeIncreaseQuotaPrivilege2832WMIC.exe
    Token: SeSecurityPrivilege2832WMIC.exe
    Token: SeTakeOwnershipPrivilege2832WMIC.exe
    Token: SeLoadDriverPrivilege2832WMIC.exe
    Token: SeSystemProfilePrivilege2832WMIC.exe
    Token: SeSystemtimePrivilege2832WMIC.exe
    Token: SeProfSingleProcessPrivilege2832WMIC.exe
    Token: SeIncBasePriorityPrivilege2832WMIC.exe
    Token: SeCreatePagefilePrivilege2832WMIC.exe
    Token: SeBackupPrivilege2832WMIC.exe
    Token: SeRestorePrivilege2832WMIC.exe
    Token: SeShutdownPrivilege2832WMIC.exe
    Token: SeDebugPrivilege2832WMIC.exe
    Token: SeSystemEnvironmentPrivilege2832WMIC.exe
    Token: SeRemoteShutdownPrivilege2832WMIC.exe
    Token: SeUndockPrivilege2832WMIC.exe
    Token: SeManageVolumePrivilege2832WMIC.exe
    Token: 332832WMIC.exe
    Token: 342832WMIC.exe
    Token: 352832WMIC.exe
    Token: 362832WMIC.exe
    Token: SeIncreaseQuotaPrivilege2832WMIC.exe
    Token: SeSecurityPrivilege2832WMIC.exe
    Token: SeTakeOwnershipPrivilege2832WMIC.exe
    Token: SeLoadDriverPrivilege2832WMIC.exe
    Token: SeSystemProfilePrivilege2832WMIC.exe
    Token: SeSystemtimePrivilege2832WMIC.exe
    Token: SeProfSingleProcessPrivilege2832WMIC.exe
    Token: SeIncBasePriorityPrivilege2832WMIC.exe
    Token: SeCreatePagefilePrivilege2832WMIC.exe
    Token: SeBackupPrivilege2832WMIC.exe
    Token: SeRestorePrivilege2832WMIC.exe
    Token: SeShutdownPrivilege2832WMIC.exe
    Token: SeDebugPrivilege2832WMIC.exe
    Token: SeSystemEnvironmentPrivilege2832WMIC.exe
    Token: SeRemoteShutdownPrivilege2832WMIC.exe
    Token: SeUndockPrivilege2832WMIC.exe
    Token: SeManageVolumePrivilege2832WMIC.exe
    Token: 332832WMIC.exe
    Token: 342832WMIC.exe
    Token: 352832WMIC.exe
    Token: 362832WMIC.exe
  • Suspicious use of WriteProcessMemory
    svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 30203036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 2964 wrote to memory of 33722964이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe
    PID 2964 wrote to memory of 33722964이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.execmd.exe
    PID 3372 wrote to memory of 39163372cmd.exevssadmin.exe
    PID 3372 wrote to memory of 39163372cmd.exevssadmin.exe
    PID 3372 wrote to memory of 29603372cmd.exewbadmin.exe
    PID 3372 wrote to memory of 29603372cmd.exewbadmin.exe
    PID 3372 wrote to memory of 28323372cmd.exeWMIC.exe
    PID 3372 wrote to memory of 28323372cmd.exeWMIC.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 9683036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 17723036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    PID 3036 wrote to memory of 14523036svchost.exe이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
    "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe"
    Modifies extensions of user files
    Adds Run key to start application
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
      "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe" n2964
      PID:3020
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        Interacts with shadow copies
        PID:3916
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        Deletes backup catalog
        PID:2960
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
      "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe" n2964
      PID:968
    • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
      "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe" n2964
      PID:1772
    • C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe
      "C:\Users\Admin\AppData\Local\Temp\이력서_경력사항은 모두 기재하였습니다 확인부탁드리겠습니다 감사합니다.exe" n2964
      PID:1452
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    Suspicious use of NtCreateUserProcessOtherParentProcess
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3036
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:3800
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    Suspicious use of AdjustPrivilegeToken
    PID:3000
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    PID:2888
  • C:\Windows\System32\vds.exe
    C:\Windows\System32\vds.exe
    Checks SCSI registry key(s)
    PID:640
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Initial Access
        Lateral Movement
          Privilege Escalation
            Replay Monitor
            00:00 00:00
            Downloads
            • memory/968-9-0x0000000000000000-mapping.dmp

            • memory/968-11-0x00000000029E0000-0x00000000029E1000-memory.dmp

            • memory/968-10-0x0000000000F10000-0x0000000000F11000-memory.dmp

            • memory/1452-16-0x0000000000E30000-0x0000000000E31000-memory.dmp

            • memory/1452-15-0x0000000000000000-mapping.dmp

            • memory/1452-17-0x00000000029E0000-0x00000000029E1000-memory.dmp

            • memory/1772-12-0x0000000000000000-mapping.dmp

            • memory/1772-13-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

            • memory/1772-14-0x0000000002880000-0x0000000002881000-memory.dmp

            • memory/2832-8-0x0000000000000000-mapping.dmp

            • memory/2960-5-0x0000000000000000-mapping.dmp

            • memory/2964-1-0x0000000002A60000-0x0000000002A61000-memory.dmp

            • memory/2964-0-0x0000000000F1A000-0x0000000000F1B000-memory.dmp

            • memory/3020-6-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

            • memory/3020-7-0x0000000002900000-0x0000000002901000-memory.dmp

            • memory/3020-2-0x0000000000000000-mapping.dmp

            • memory/3372-3-0x0000000000000000-mapping.dmp

            • memory/3916-4-0x0000000000000000-mapping.dmp