bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
60KB
25-06-2020 05:32
0ed2ca539a01cdb86c88a9a1604b2005
4fed7eae00bfa21938e49f33b7c6794fd7d0750c
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
Filter: none
-
Modifies servicevssvc.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Views/modifies file attributesattrib.exeattrib.exeattrib.exe
Tags
TTPs
Reported IOCs
pid process 2188 attrib.exe 260 attrib.exe 280 attrib.exe -
Suspicious use of AdjustPrivilegeTokenvssvc.exe
Reported IOCs
description pid process Token: SeBackupPrivilege 1516 vssvc.exe Token: SeRestorePrivilege 1516 vssvc.exe Token: SeAuditPrivilege 1516 vssvc.exe -
Executes dropped EXEResources:binResources.exe
Reported IOCs
pid process 1548 Resources:bin 3812 Resources.exe -
Drops file in System32 directoryResources:binattrib.exe
Reported IOCs
description ioc process File opened for modification C:\Windows\SysWOW64\Resources.exe Resources:bin File opened for modification C:\Windows\SysWOW64\Resources.exe attrib.exe -
Modifies file permissionstakeown.exeicacls.exe
Tags
TTPs
Reported IOCs
pid process 2604 takeown.exe 2824 icacls.exe -
Possible privilege escalation attempttakeown.exeicacls.exe
Tags
Reported IOCs
pid process 2604 takeown.exe 2824 icacls.exe -
NTFS ADSbcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Reported IOCs
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Resources:bin bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe -
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Interacts with shadow copiesvssadmin.exe
Description
Shadow copies are often targeted by ransomware to inhibit system recovery.
Tags
TTPs
Reported IOCs
pid process 1664 vssadmin.exe -
Suspicious use of WriteProcessMemorybcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeResources:binResources.execmd.execmd.execmd.exe
Reported IOCs
description pid process target process PID 1484 wrote to memory of 1548 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Resources:bin PID 1484 wrote to memory of 1548 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Resources:bin PID 1484 wrote to memory of 1548 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Resources:bin PID 1548 wrote to memory of 1664 1548 Resources:bin vssadmin.exe PID 1548 wrote to memory of 1664 1548 Resources:bin vssadmin.exe PID 1548 wrote to memory of 2604 1548 Resources:bin takeown.exe PID 1548 wrote to memory of 2604 1548 Resources:bin takeown.exe PID 1548 wrote to memory of 2604 1548 Resources:bin takeown.exe PID 1548 wrote to memory of 2824 1548 Resources:bin icacls.exe PID 1548 wrote to memory of 2824 1548 Resources:bin icacls.exe PID 1548 wrote to memory of 2824 1548 Resources:bin icacls.exe PID 3812 wrote to memory of 3980 3812 Resources.exe cmd.exe PID 3812 wrote to memory of 3980 3812 Resources.exe cmd.exe PID 3812 wrote to memory of 3980 3812 Resources.exe cmd.exe PID 3980 wrote to memory of 984 3980 cmd.exe choice.exe PID 3980 wrote to memory of 984 3980 cmd.exe choice.exe PID 3980 wrote to memory of 984 3980 cmd.exe choice.exe PID 1548 wrote to memory of 1672 1548 Resources:bin cmd.exe PID 1548 wrote to memory of 1672 1548 Resources:bin cmd.exe PID 1548 wrote to memory of 1672 1548 Resources:bin cmd.exe PID 1484 wrote to memory of 3484 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1484 wrote to memory of 3484 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1484 wrote to memory of 3484 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1672 wrote to memory of 3776 1672 cmd.exe choice.exe PID 1672 wrote to memory of 3776 1672 cmd.exe choice.exe PID 1672 wrote to memory of 3776 1672 cmd.exe choice.exe PID 3484 wrote to memory of 980 3484 cmd.exe choice.exe PID 3484 wrote to memory of 980 3484 cmd.exe choice.exe PID 3484 wrote to memory of 980 3484 cmd.exe choice.exe PID 3980 wrote to memory of 2188 3980 cmd.exe attrib.exe PID 3980 wrote to memory of 2188 3980 cmd.exe attrib.exe PID 3980 wrote to memory of 2188 3980 cmd.exe attrib.exe PID 1672 wrote to memory of 260 1672 cmd.exe attrib.exe PID 1672 wrote to memory of 260 1672 cmd.exe attrib.exe PID 1672 wrote to memory of 260 1672 cmd.exe attrib.exe PID 3484 wrote to memory of 280 3484 cmd.exe attrib.exe PID 3484 wrote to memory of 280 3484 cmd.exe attrib.exe PID 3484 wrote to memory of 280 3484 cmd.exe attrib.exe
-
C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"NTFS ADSSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Resources:binC:\Users\Admin\AppData\Roaming\Resources:bin -rExecutes dropped EXEDrops file in System32 directorySuspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietInteracts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Resources.exeModifies file permissionsPossible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Resources.exe /resetModifies file permissionsPossible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Resources" & del "C:\Users\Admin\AppData\Roaming\Resources"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Resources"Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeModifies serviceSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Resources.exeC:\Windows\SysWOW64\Resources.exe -sExecutes dropped EXESuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Resources.exe" & del "C:\Windows\SysWOW64\Resources.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Resources.exe"Views/modifies file attributesDrops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Resources:bin
-
C:\Users\Admin\AppData\Roaming\Resources:bin
-
C:\Windows\SysWOW64\Resources.exe
-
C:\Windows\SysWOW64\Resources.exe
-
memory/260-15-0x0000000000000000-mapping.dmp
-
memory/280-16-0x0000000000000000-mapping.dmp
-
memory/980-13-0x0000000000000000-mapping.dmp
-
memory/984-9-0x0000000000000000-mapping.dmp
-
memory/1548-0-0x0000000000000000-mapping.dmp
-
memory/1664-3-0x0000000000000000-mapping.dmp
-
memory/1672-10-0x0000000000000000-mapping.dmp
-
memory/2188-14-0x0000000000000000-mapping.dmp
-
memory/2604-4-0x0000000000000000-mapping.dmp
-
memory/2824-6-0x0000000000000000-mapping.dmp
-
memory/3484-11-0x0000000000000000-mapping.dmp
-
memory/3776-12-0x0000000000000000-mapping.dmp
-
memory/3980-8-0x0000000000000000-mapping.dmp