Analysis
-
max time kernel
129s -
max time network
104s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 10:30
Static task
static1
Behavioral task
behavioral1
Sample
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe
Resource
win7
Behavioral task
behavioral2
Sample
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe
Resource
win10v200430
General
-
Target
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe
-
Size
219KB
-
MD5
32657cb8dbbf2b177a5765107b83eb26
-
SHA1
942b1194b91c8ec04a8f547595ab2fa78904bc90
-
SHA256
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3
-
SHA512
ac17e7f31624cd3b6d8c26c7beae753a0a9e6de7b332d65163fb988e7b4744ac58f6c051be768446b019b7304c6c4e610a0827b99b9487ac06fe8e1cca25c5b9
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq00705@protonmail.com
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wbadmin.exepid process 1796 wbadmin.exe -
Drops file in Program Files directory 9747 IoCs
Processes:
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santarem f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02287_.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.[24619442].[akzhq00705@protonmail.com].makop f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7F.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Swift_Current f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0156537.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\readme-warning.txt f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HEADER.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLL f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\localedata.jar f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\CompareUnblock.xml f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\readme-warning.txt f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\readme-warning.txt f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\INDOMAIN.ICO f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.execmd.exedescription pid process target process PID 1100 wrote to memory of 1324 1100 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe cmd.exe PID 1100 wrote to memory of 1324 1100 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe cmd.exe PID 1100 wrote to memory of 1324 1100 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe cmd.exe PID 1100 wrote to memory of 1324 1100 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe cmd.exe PID 1324 wrote to memory of 1448 1324 cmd.exe vssadmin.exe PID 1324 wrote to memory of 1448 1324 cmd.exe vssadmin.exe PID 1324 wrote to memory of 1448 1324 cmd.exe vssadmin.exe PID 1324 wrote to memory of 1796 1324 cmd.exe wbadmin.exe PID 1324 wrote to memory of 1796 1324 cmd.exe wbadmin.exe PID 1324 wrote to memory of 1796 1324 cmd.exe wbadmin.exe PID 1324 wrote to memory of 1612 1324 cmd.exe WMIC.exe PID 1324 wrote to memory of 1612 1324 cmd.exe WMIC.exe PID 1324 wrote to memory of 1612 1324 cmd.exe WMIC.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1448 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 272 vssvc.exe Token: SeRestorePrivilege 272 vssvc.exe Token: SeAuditPrivilege 272 vssvc.exe Token: SeBackupPrivilege 1832 wbengine.exe Token: SeRestorePrivilege 1832 wbengine.exe Token: SeSecurityPrivilege 1832 wbengine.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exepid process 1100 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe\"" f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Processes:
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe"C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe"C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe" n11002⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe"C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe" n11002⤵
-
C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe"C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe" n11002⤵
-
C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe"C:\Users\Admin\AppData\Local\Temp\f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3.exe" n11002⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\wkssvc
-
memory/320-12-0x0000000003499000-0x000000000349A000-memory.dmpFilesize
4KB
-
memory/320-13-0x0000000003580000-0x0000000003591000-memory.dmpFilesize
68KB
-
memory/616-4-0x0000000003449000-0x000000000344A000-memory.dmpFilesize
4KB
-
memory/616-5-0x00000000036E0000-0x00000000036F1000-memory.dmpFilesize
68KB
-
memory/1100-1-0x0000000003630000-0x0000000003641000-memory.dmpFilesize
68KB
-
memory/1100-0-0x00000000033E9000-0x00000000033EA000-memory.dmpFilesize
4KB
-
memory/1324-2-0x0000000000000000-mapping.dmp
-
memory/1412-8-0x0000000003429000-0x000000000342A000-memory.dmpFilesize
4KB
-
memory/1412-9-0x0000000003690000-0x00000000036A1000-memory.dmpFilesize
68KB
-
memory/1448-3-0x0000000000000000-mapping.dmp
-
memory/1612-7-0x0000000000000000-mapping.dmp
-
memory/1772-11-0x0000000003430000-0x0000000003441000-memory.dmpFilesize
68KB
-
memory/1772-10-0x0000000003349000-0x000000000334A000-memory.dmpFilesize
4KB
-
memory/1796-6-0x0000000000000000-mapping.dmp