Analysis
-
max time kernel
128s -
max time network
142s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 10:30
Static task
static1
Behavioral task
behavioral1
Sample
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe
Resource
win7
Behavioral task
behavioral2
Sample
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe
Resource
win10
General
-
Target
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe
-
Size
220KB
-
MD5
d338decc4c2d3d093a12740e444286c4
-
SHA1
0867abf844576d906f05eefc1c32046be5e83b8e
-
SHA256
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051
-
SHA512
1b4a15edf1baf39f47a08cfd792900e8d4a22ff6dbe7f8e61f55b9a30e741d3c1f2b1e845dc9932705da6f80f60bcd540054161cceb39b54a5a4f2f79ebf3dc0
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq00705@protonmail.com
Signatures
-
Drops file in Program Files directory 17751 IoCs
Processes:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Triangle.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_32x32x32.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6924_24x24x32.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-150.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Dark.scale-140.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-125.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6454_48x48x32.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-100.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-100.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mm_60x42.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ls_16x11.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-300.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\DeselectAll.scale-180.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\ui-strings.js 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-400.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-colorize.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-125.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo2.targetsize-16.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.scale-200.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cv_16x11.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Images\BlankImage.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\build.psake.ps1 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_EL-GR.respack 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\qa_60x42.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-200.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-100.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\3_badges_none.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\LargeTile.scale-125.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6440_32x32x32.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_32x32x32.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-36.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-150_contrast-white.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-GB\doc_offline_getconnected.xml 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bo_16x11.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-200.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_pyramid.3mf 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-black.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ax_60x42.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\readme-warning.txt 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White@2x.png 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 4008 created 1636 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 created 1636 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 created 1636 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 created 1636 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3780 vssadmin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe\"" 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 4008 svchost.exe Token: SeTcbPrivilege 4008 svchost.exe Token: SeBackupPrivilege 3912 vssvc.exe Token: SeRestorePrivilege 3912 vssvc.exe Token: SeAuditPrivilege 3912 vssvc.exe Token: SeBackupPrivilege 2516 wbengine.exe Token: SeRestorePrivilege 2516 wbengine.exe Token: SeSecurityPrivilege 2516 wbengine.exe Token: SeIncreaseQuotaPrivilege 844 WMIC.exe Token: SeSecurityPrivilege 844 WMIC.exe Token: SeTakeOwnershipPrivilege 844 WMIC.exe Token: SeLoadDriverPrivilege 844 WMIC.exe Token: SeSystemProfilePrivilege 844 WMIC.exe Token: SeSystemtimePrivilege 844 WMIC.exe Token: SeProfSingleProcessPrivilege 844 WMIC.exe Token: SeIncBasePriorityPrivilege 844 WMIC.exe Token: SeCreatePagefilePrivilege 844 WMIC.exe Token: SeBackupPrivilege 844 WMIC.exe Token: SeRestorePrivilege 844 WMIC.exe Token: SeShutdownPrivilege 844 WMIC.exe Token: SeDebugPrivilege 844 WMIC.exe Token: SeSystemEnvironmentPrivilege 844 WMIC.exe Token: SeRemoteShutdownPrivilege 844 WMIC.exe Token: SeUndockPrivilege 844 WMIC.exe Token: SeManageVolumePrivilege 844 WMIC.exe Token: 33 844 WMIC.exe Token: 34 844 WMIC.exe Token: 35 844 WMIC.exe Token: 36 844 WMIC.exe Token: SeIncreaseQuotaPrivilege 844 WMIC.exe Token: SeSecurityPrivilege 844 WMIC.exe Token: SeTakeOwnershipPrivilege 844 WMIC.exe Token: SeLoadDriverPrivilege 844 WMIC.exe Token: SeSystemProfilePrivilege 844 WMIC.exe Token: SeSystemtimePrivilege 844 WMIC.exe Token: SeProfSingleProcessPrivilege 844 WMIC.exe Token: SeIncBasePriorityPrivilege 844 WMIC.exe Token: SeCreatePagefilePrivilege 844 WMIC.exe Token: SeBackupPrivilege 844 WMIC.exe Token: SeRestorePrivilege 844 WMIC.exe Token: SeShutdownPrivilege 844 WMIC.exe Token: SeDebugPrivilege 844 WMIC.exe Token: SeSystemEnvironmentPrivilege 844 WMIC.exe Token: SeRemoteShutdownPrivilege 844 WMIC.exe Token: SeUndockPrivilege 844 WMIC.exe Token: SeManageVolumePrivilege 844 WMIC.exe Token: 33 844 WMIC.exe Token: 34 844 WMIC.exe Token: 35 844 WMIC.exe Token: 36 844 WMIC.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exepid process 1636 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe 1636 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
svchost.exe03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.execmd.exedescription pid process target process PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 2800 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 1636 wrote to memory of 3852 1636 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe cmd.exe PID 1636 wrote to memory of 3852 1636 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe cmd.exe PID 3852 wrote to memory of 3780 3852 cmd.exe vssadmin.exe PID 3852 wrote to memory of 3780 3852 cmd.exe vssadmin.exe PID 3852 wrote to memory of 2528 3852 cmd.exe wbadmin.exe PID 3852 wrote to memory of 2528 3852 cmd.exe wbadmin.exe PID 3852 wrote to memory of 844 3852 cmd.exe WMIC.exe PID 3852 wrote to memory of 844 3852 cmd.exe WMIC.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3604 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3440 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe PID 4008 wrote to memory of 3540 4008 svchost.exe 03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe -
Processes:
wbadmin.exepid process 2528 wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe"C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe"1⤵
- Drops file in Program Files directory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe"C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe" n16362⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe"C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe" n16362⤵
-
C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe"C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe" n16362⤵
-
C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe"C:\Users\Admin\AppData\Local\Temp\03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051.exe" n16362⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-8-0x0000000000000000-mapping.dmp
-
memory/1636-1-0x00000000038C0000-0x00000000038C1000-memory.dmpFilesize
4KB
-
memory/1636-0-0x0000000003601000-0x0000000003602000-memory.dmpFilesize
4KB
-
memory/2528-5-0x0000000000000000-mapping.dmp
-
memory/2800-7-0x0000000003620000-0x0000000003621000-memory.dmpFilesize
4KB
-
memory/2800-2-0x0000000000000000-mapping.dmp
-
memory/2800-6-0x0000000003524000-0x0000000003525000-memory.dmpFilesize
4KB
-
memory/3440-13-0x0000000000000000-mapping.dmp
-
memory/3440-14-0x00000000034C4000-0x00000000034C5000-memory.dmpFilesize
4KB
-
memory/3440-15-0x00000000036F0000-0x00000000036F1000-memory.dmpFilesize
4KB
-
memory/3540-16-0x0000000000000000-mapping.dmp
-
memory/3540-17-0x00000000032C4000-0x00000000032C5000-memory.dmpFilesize
4KB
-
memory/3540-18-0x00000000034E0000-0x00000000034E1000-memory.dmpFilesize
4KB
-
memory/3604-10-0x0000000000000000-mapping.dmp
-
memory/3604-11-0x0000000003694000-0x0000000003695000-memory.dmpFilesize
4KB
-
memory/3604-12-0x0000000003990000-0x0000000003991000-memory.dmpFilesize
4KB
-
memory/3780-4-0x0000000000000000-mapping.dmp
-
memory/3852-3-0x0000000000000000-mapping.dmp