buran | da75d48c48022aae0f3134dcb66c3a8180003b014cb12b4727dc02a8e1a83b10

General

Target

lsass.exe
Size

214KB
MD5

7789e69306b9dd1dde3f46e12d068e6c
SHA1

d06c49fe36ba5ae37fd4bc81924a106d8cafa116
SHA256

da75d48c48022aae0f3134dcb66c3a8180003b014cb12b4727dc02a8e1a83b10
SHA512

7e7733b225a729f16932e4423601cea1232002e2ecab8950ba9a8385897ff0a2b5f06c91008c05f1d4e0b0def856bea8b748873bbcd4149503e67d7fcbdacccd

Score

10^/10

ransomware persistence buran

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!! All your files, documents, databases and other important files are STOLEN and ENCRYPTED. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send 4 crypt file an email: mvpwesam@protonmail.com and decrypt one random file for free. But this file should be of not valuable! Do you really want to restore your files? you must transfer 1110 bitcoins to wallet : 125WPKS5eEtrhiRmZPX1MrAzeAG8AmzrG8 Write to email: mvpwesam@protonmail.com if there is no payment, in 30 DAYS this information will be PUBLIC. Some of the data will be sold on the DarkWeb, and some will be publicly available for cyber crime. After payment this information is guaranteed to be DELETED! Your personal ID: 582-22C-A06 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

mvpwesam@protonmail.com

Signatures

Suspicious use of AdjustPrivilegeToken 89 IoCs

Processes:

lsass.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	716	lsass.exe
Token: SeDebugPrivilege	716	lsass.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeSecurityPrivilege	3756	WMIC.exe
Token: SeTakeOwnershipPrivilege	3756	WMIC.exe
Token: SeLoadDriverPrivilege	3756	WMIC.exe
Token: SeSystemProfilePrivilege	3756	WMIC.exe
Token: SeSystemtimePrivilege	3756	WMIC.exe
Token: SeProfSingleProcessPrivilege	3756	WMIC.exe
Token: SeIncBasePriorityPrivilege	3756	WMIC.exe
Token: SeCreatePagefilePrivilege	3756	WMIC.exe
Token: SeBackupPrivilege	3756	WMIC.exe
Token: SeRestorePrivilege	3756	WMIC.exe
Token: SeShutdownPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	3756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3756	WMIC.exe
Token: SeRemoteShutdownPrivilege	3756	WMIC.exe
Token: SeUndockPrivilege	3756	WMIC.exe
Token: SeManageVolumePrivilege	3756	WMIC.exe
Token: 33	3756	WMIC.exe
Token: 34	3756	WMIC.exe
Token: 35	3756	WMIC.exe
Token: 36	3756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2700	WMIC.exe
Token: SeSecurityPrivilege	2700	WMIC.exe
Token: SeTakeOwnershipPrivilege	2700	WMIC.exe
Token: SeLoadDriverPrivilege	2700	WMIC.exe
Token: SeSystemProfilePrivilege	2700	WMIC.exe
Token: SeSystemtimePrivilege	2700	WMIC.exe
Token: SeProfSingleProcessPrivilege	2700	WMIC.exe
Token: SeIncBasePriorityPrivilege	2700	WMIC.exe
Token: SeCreatePagefilePrivilege	2700	WMIC.exe
Token: SeBackupPrivilege	2700	WMIC.exe
Token: SeRestorePrivilege	2700	WMIC.exe
Token: SeShutdownPrivilege	2700	WMIC.exe
Token: SeDebugPrivilege	2700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2700	WMIC.exe
Token: SeRemoteShutdownPrivilege	2700	WMIC.exe
Token: SeUndockPrivilege	2700	WMIC.exe
Token: SeManageVolumePrivilege	2700	WMIC.exe
Token: 33	2700	WMIC.exe
Token: 34	2700	WMIC.exe
Token: 35	2700	WMIC.exe
Token: 36	2700	WMIC.exe
Token: SeBackupPrivilege	780	vssvc.exe
Token: SeRestorePrivilege	780	vssvc.exe
Token: SeAuditPrivilege	780	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeSecurityPrivilege	3756	WMIC.exe
Token: SeTakeOwnershipPrivilege	3756	WMIC.exe
Token: SeLoadDriverPrivilege	3756	WMIC.exe
Token: SeSystemProfilePrivilege	3756	WMIC.exe
Token: SeSystemtimePrivilege	3756	WMIC.exe
Token: SeProfSingleProcessPrivilege	3756	WMIC.exe
Token: SeIncBasePriorityPrivilege	3756	WMIC.exe
Token: SeCreatePagefilePrivilege	3756	WMIC.exe
Token: SeBackupPrivilege	3756	WMIC.exe
Token: SeRestorePrivilege	3756	WMIC.exe
Token: SeShutdownPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	3756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3756	WMIC.exe
Token: SeRemoteShutdownPrivilege	3756	WMIC.exe
Token: SeUndockPrivilege	3756	WMIC.exe
Token: SeManageVolumePrivilege	3756	WMIC.exe

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	lsass.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

392 vssadmin.exe
3676 vssadmin.exe

pid	process
392	vssadmin.exe
3676	vssadmin.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

lsass.exetaskeng.execmd.execmd.execmd.exe

description	pid	process	target process
PID 716 wrote to memory of 3008	716	lsass.exe	taskeng.exe
PID 716 wrote to memory of 3008	716	lsass.exe	taskeng.exe
PID 716 wrote to memory of 3008	716	lsass.exe	taskeng.exe
PID 716 wrote to memory of 2972	716	lsass.exe	notepad.exe
PID 716 wrote to memory of 2972	716	lsass.exe	notepad.exe
PID 716 wrote to memory of 2972	716	lsass.exe	notepad.exe
PID 716 wrote to memory of 2972	716	lsass.exe	notepad.exe
PID 716 wrote to memory of 2972	716	lsass.exe	notepad.exe
PID 716 wrote to memory of 2972	716	lsass.exe	notepad.exe
PID 3008 wrote to memory of 3812	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3812	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3812	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3932	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3932	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3932	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3868	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3868	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3868	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3784	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3784	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3784	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3368	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3368	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 3368	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 1004	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 1004	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 1004	3008	taskeng.exe	cmd.exe
PID 3008 wrote to memory of 1508	3008	taskeng.exe	taskeng.exe
PID 3008 wrote to memory of 1508	3008	taskeng.exe	taskeng.exe
PID 3008 wrote to memory of 1508	3008	taskeng.exe	taskeng.exe
PID 3368 wrote to memory of 392	3368	cmd.exe	vssadmin.exe
PID 3368 wrote to memory of 392	3368	cmd.exe	vssadmin.exe
PID 3368 wrote to memory of 392	3368	cmd.exe	vssadmin.exe
PID 1004 wrote to memory of 3756	1004	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 3756	1004	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 3756	1004	cmd.exe	WMIC.exe
PID 3812 wrote to memory of 2700	3812	cmd.exe	WMIC.exe
PID 3812 wrote to memory of 2700	3812	cmd.exe	WMIC.exe
PID 3812 wrote to memory of 2700	3812	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 3676	1004	cmd.exe	vssadmin.exe
PID 1004 wrote to memory of 3676	1004	cmd.exe	vssadmin.exe
PID 1004 wrote to memory of 3676	1004	cmd.exe	vssadmin.exe

Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

3008 taskeng.exe
1508 taskeng.exe

Suspicious behavior: EnumeratesProcesses 8160 IoCs

Processes:

taskeng.exe

pid	process
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe
3008	taskeng.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2972 notepad.exe

pid	process
2972	notepad.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Drops file in Program Files directory 9283 IoCs

Processes:

taskeng.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\rt.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.582-22C-A06	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-125.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\images\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.582-22C-A06	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Integration\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\mcxml\x-none\office32ww.msi.16_office32ww.mcxml.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.582-22C-A06	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.582-22C-A06	taskeng.exe

C:\Users\Admin\AppData\Local\Temp\lsass.exe
"C:\Users\Admin\AppData\Local\Temp\lsass.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1508

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:2972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
memory/392-12-0x0000000000000000-mapping.dmp

Download
memory/1004-9-0x0000000000000000-mapping.dmp

Download
memory/1508-10-0x0000000000000000-mapping.dmp

Download
memory/2700-15-0x0000000000000000-mapping.dmp

Download
memory/2972-3-0x0000000000000000-mapping.dmp

Download
memory/3008-0-0x0000000000000000-mapping.dmp

Download
memory/3368-8-0x0000000000000000-mapping.dmp

Download
memory/3676-16-0x0000000000000000-mapping.dmp

Download
memory/3756-14-0x0000000000000000-mapping.dmp

Download
memory/3784-7-0x0000000000000000-mapping.dmp

Download
memory/3812-4-0x0000000000000000-mapping.dmp

Download
memory/3868-6-0x0000000000000000-mapping.dmp

Download
memory/3932-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads