Analysis
-
max time kernel
151s -
max time network
85s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 01:31
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10
General
-
Target
lsass.exe
-
Size
214KB
-
MD5
7789e69306b9dd1dde3f46e12d068e6c
-
SHA1
d06c49fe36ba5ae37fd4bc81924a106d8cafa116
-
SHA256
da75d48c48022aae0f3134dcb66c3a8180003b014cb12b4727dc02a8e1a83b10
-
SHA512
7e7733b225a729f16932e4423601cea1232002e2ecab8950ba9a8385897ff0a2b5f06c91008c05f1d4e0b0def856bea8b748873bbcd4149503e67d7fcbdacccd
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT
buran
mvpwesam@protonmail.com
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
lsass.exepid process 1296 lsass.exe 1296 lsass.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
lsass.exelsass.execmd.execmd.execmd.exedescription pid process target process PID 1296 wrote to memory of 1328 1296 lsass.exe lsass.exe PID 1296 wrote to memory of 1328 1296 lsass.exe lsass.exe PID 1296 wrote to memory of 1328 1296 lsass.exe lsass.exe PID 1296 wrote to memory of 1328 1296 lsass.exe lsass.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1296 wrote to memory of 1428 1296 lsass.exe notepad.exe PID 1328 wrote to memory of 308 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 308 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 308 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 308 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1020 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1020 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1020 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1020 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 112 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 112 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 112 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 112 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1644 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1644 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1644 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1644 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1536 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1536 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1536 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1536 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1688 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1688 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1688 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1688 1328 lsass.exe cmd.exe PID 1328 wrote to memory of 1764 1328 lsass.exe lsass.exe PID 1328 wrote to memory of 1764 1328 lsass.exe lsass.exe PID 1328 wrote to memory of 1764 1328 lsass.exe lsass.exe PID 1328 wrote to memory of 1764 1328 lsass.exe lsass.exe PID 1536 wrote to memory of 1792 1536 cmd.exe vssadmin.exe PID 1536 wrote to memory of 1792 1536 cmd.exe vssadmin.exe PID 1536 wrote to memory of 1792 1536 cmd.exe vssadmin.exe PID 1536 wrote to memory of 1792 1536 cmd.exe vssadmin.exe PID 308 wrote to memory of 1772 308 cmd.exe WMIC.exe PID 308 wrote to memory of 1772 308 cmd.exe WMIC.exe PID 308 wrote to memory of 1772 308 cmd.exe WMIC.exe PID 308 wrote to memory of 1772 308 cmd.exe WMIC.exe PID 1688 wrote to memory of 1776 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1776 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1776 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1776 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 600 1688 cmd.exe vssadmin.exe PID 1688 wrote to memory of 600 1688 cmd.exe vssadmin.exe PID 1688 wrote to memory of 600 1688 cmd.exe vssadmin.exe PID 1688 wrote to memory of 600 1688 cmd.exe vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
lsass.exevssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1296 lsass.exe Token: SeDebugPrivilege 1296 lsass.exe Token: SeBackupPrivilege 508 vssvc.exe Token: SeRestorePrivilege 508 vssvc.exe Token: SeAuditPrivilege 508 vssvc.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe -
Suspicious behavior: EnumeratesProcesses 4141 IoCs
Processes:
lsass.exepid process 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe 1328 lsass.exe -
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" lsass.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run lsass.exe -
Enumerates connected drives 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 1328 lsass.exe 1764 lsass.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1428 notepad.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1792 vssadmin.exe 600 vssadmin.exe -
Drops file in Program Files directory 10308 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Martinique.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153095.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib lsass.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\security\local_policy.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\javaws.jar.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD08808_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.582-22C-A06 lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayman.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0238959.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HM00116_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0291984.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02169_.WMF lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.582-22C-A06 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA lsass.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
-
memory/112-7-0x0000000000000000-mapping.dmp
-
memory/308-5-0x0000000000000000-mapping.dmp
-
memory/600-18-0x0000000000000000-mapping.dmp
-
memory/1020-6-0x0000000000000000-mapping.dmp
-
memory/1328-2-0x0000000000000000-mapping.dmp
-
memory/1428-4-0x0000000000000000-mapping.dmp
-
memory/1536-9-0x0000000000000000-mapping.dmp
-
memory/1644-8-0x0000000000000000-mapping.dmp
-
memory/1688-10-0x0000000000000000-mapping.dmp
-
memory/1764-12-0x0000000000000000-mapping.dmp
-
memory/1772-16-0x0000000000000000-mapping.dmp
-
memory/1776-17-0x0000000000000000-mapping.dmp
-
memory/1792-15-0x0000000000000000-mapping.dmp