Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 01:31
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10
General
-
Target
lsass.exe
-
Size
214KB
-
MD5
7789e69306b9dd1dde3f46e12d068e6c
-
SHA1
d06c49fe36ba5ae37fd4bc81924a106d8cafa116
-
SHA256
da75d48c48022aae0f3134dcb66c3a8180003b014cb12b4727dc02a8e1a83b10
-
SHA512
7e7733b225a729f16932e4423601cea1232002e2ecab8950ba9a8385897ff0a2b5f06c91008c05f1d4e0b0def856bea8b748873bbcd4149503e67d7fcbdacccd
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT
buran
mvpwesam@protonmail.com
Signatures
-
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
lsass.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 716 lsass.exe Token: SeDebugPrivilege 716 lsass.exe Token: SeIncreaseQuotaPrivilege 3756 WMIC.exe Token: SeSecurityPrivilege 3756 WMIC.exe Token: SeTakeOwnershipPrivilege 3756 WMIC.exe Token: SeLoadDriverPrivilege 3756 WMIC.exe Token: SeSystemProfilePrivilege 3756 WMIC.exe Token: SeSystemtimePrivilege 3756 WMIC.exe Token: SeProfSingleProcessPrivilege 3756 WMIC.exe Token: SeIncBasePriorityPrivilege 3756 WMIC.exe Token: SeCreatePagefilePrivilege 3756 WMIC.exe Token: SeBackupPrivilege 3756 WMIC.exe Token: SeRestorePrivilege 3756 WMIC.exe Token: SeShutdownPrivilege 3756 WMIC.exe Token: SeDebugPrivilege 3756 WMIC.exe Token: SeSystemEnvironmentPrivilege 3756 WMIC.exe Token: SeRemoteShutdownPrivilege 3756 WMIC.exe Token: SeUndockPrivilege 3756 WMIC.exe Token: SeManageVolumePrivilege 3756 WMIC.exe Token: 33 3756 WMIC.exe Token: 34 3756 WMIC.exe Token: 35 3756 WMIC.exe Token: 36 3756 WMIC.exe Token: SeIncreaseQuotaPrivilege 2700 WMIC.exe Token: SeSecurityPrivilege 2700 WMIC.exe Token: SeTakeOwnershipPrivilege 2700 WMIC.exe Token: SeLoadDriverPrivilege 2700 WMIC.exe Token: SeSystemProfilePrivilege 2700 WMIC.exe Token: SeSystemtimePrivilege 2700 WMIC.exe Token: SeProfSingleProcessPrivilege 2700 WMIC.exe Token: SeIncBasePriorityPrivilege 2700 WMIC.exe Token: SeCreatePagefilePrivilege 2700 WMIC.exe Token: SeBackupPrivilege 2700 WMIC.exe Token: SeRestorePrivilege 2700 WMIC.exe Token: SeShutdownPrivilege 2700 WMIC.exe Token: SeDebugPrivilege 2700 WMIC.exe Token: SeSystemEnvironmentPrivilege 2700 WMIC.exe Token: SeRemoteShutdownPrivilege 2700 WMIC.exe Token: SeUndockPrivilege 2700 WMIC.exe Token: SeManageVolumePrivilege 2700 WMIC.exe Token: 33 2700 WMIC.exe Token: 34 2700 WMIC.exe Token: 35 2700 WMIC.exe Token: 36 2700 WMIC.exe Token: SeBackupPrivilege 780 vssvc.exe Token: SeRestorePrivilege 780 vssvc.exe Token: SeAuditPrivilege 780 vssvc.exe Token: SeIncreaseQuotaPrivilege 3756 WMIC.exe Token: SeSecurityPrivilege 3756 WMIC.exe Token: SeTakeOwnershipPrivilege 3756 WMIC.exe Token: SeLoadDriverPrivilege 3756 WMIC.exe Token: SeSystemProfilePrivilege 3756 WMIC.exe Token: SeSystemtimePrivilege 3756 WMIC.exe Token: SeProfSingleProcessPrivilege 3756 WMIC.exe Token: SeIncBasePriorityPrivilege 3756 WMIC.exe Token: SeCreatePagefilePrivilege 3756 WMIC.exe Token: SeBackupPrivilege 3756 WMIC.exe Token: SeRestorePrivilege 3756 WMIC.exe Token: SeShutdownPrivilege 3756 WMIC.exe Token: SeDebugPrivilege 3756 WMIC.exe Token: SeSystemEnvironmentPrivilege 3756 WMIC.exe Token: SeRemoteShutdownPrivilege 3756 WMIC.exe Token: SeUndockPrivilege 3756 WMIC.exe Token: SeManageVolumePrivilege 3756 WMIC.exe -
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start" lsass.exe -
Enumerates connected drives 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 392 vssadmin.exe 3676 vssadmin.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
lsass.exetaskeng.execmd.execmd.execmd.exedescription pid process target process PID 716 wrote to memory of 3008 716 lsass.exe taskeng.exe PID 716 wrote to memory of 3008 716 lsass.exe taskeng.exe PID 716 wrote to memory of 3008 716 lsass.exe taskeng.exe PID 716 wrote to memory of 2972 716 lsass.exe notepad.exe PID 716 wrote to memory of 2972 716 lsass.exe notepad.exe PID 716 wrote to memory of 2972 716 lsass.exe notepad.exe PID 716 wrote to memory of 2972 716 lsass.exe notepad.exe PID 716 wrote to memory of 2972 716 lsass.exe notepad.exe PID 716 wrote to memory of 2972 716 lsass.exe notepad.exe PID 3008 wrote to memory of 3812 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3812 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3812 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3932 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3932 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3932 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3868 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3868 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3868 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3784 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3784 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3784 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3368 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3368 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 3368 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 1004 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 1004 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 1004 3008 taskeng.exe cmd.exe PID 3008 wrote to memory of 1508 3008 taskeng.exe taskeng.exe PID 3008 wrote to memory of 1508 3008 taskeng.exe taskeng.exe PID 3008 wrote to memory of 1508 3008 taskeng.exe taskeng.exe PID 3368 wrote to memory of 392 3368 cmd.exe vssadmin.exe PID 3368 wrote to memory of 392 3368 cmd.exe vssadmin.exe PID 3368 wrote to memory of 392 3368 cmd.exe vssadmin.exe PID 1004 wrote to memory of 3756 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 3756 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 3756 1004 cmd.exe WMIC.exe PID 3812 wrote to memory of 2700 3812 cmd.exe WMIC.exe PID 3812 wrote to memory of 2700 3812 cmd.exe WMIC.exe PID 3812 wrote to memory of 2700 3812 cmd.exe WMIC.exe PID 1004 wrote to memory of 3676 1004 cmd.exe vssadmin.exe PID 1004 wrote to memory of 3676 1004 cmd.exe vssadmin.exe PID 1004 wrote to memory of 3676 1004 cmd.exe vssadmin.exe -
Executes dropped EXE 2 IoCs
Processes:
taskeng.exetaskeng.exepid process 3008 taskeng.exe 1508 taskeng.exe -
Suspicious behavior: EnumeratesProcesses 8160 IoCs
Processes:
taskeng.exepid process 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe 3008 taskeng.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2972 notepad.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 9283 IoCs
Processes:
taskeng.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\rt.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms taskeng.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.582-22C-A06 taskeng.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\common.luac taskeng.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-125.png taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe taskeng.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\images\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.582-22C-A06 taskeng.exe File created C:\Program Files\Microsoft Office\root\Integration\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\x-none\office32ww.msi.16_office32ww.mcxml.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.582-22C-A06 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl taskeng.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.582-22C-A06 taskeng.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
-
memory/392-12-0x0000000000000000-mapping.dmp
-
memory/1004-9-0x0000000000000000-mapping.dmp
-
memory/1508-10-0x0000000000000000-mapping.dmp
-
memory/2700-15-0x0000000000000000-mapping.dmp
-
memory/2972-3-0x0000000000000000-mapping.dmp
-
memory/3008-0-0x0000000000000000-mapping.dmp
-
memory/3368-8-0x0000000000000000-mapping.dmp
-
memory/3676-16-0x0000000000000000-mapping.dmp
-
memory/3756-14-0x0000000000000000-mapping.dmp
-
memory/3784-7-0x0000000000000000-mapping.dmp
-
memory/3812-4-0x0000000000000000-mapping.dmp
-
memory/3868-6-0x0000000000000000-mapping.dmp
-
memory/3932-5-0x0000000000000000-mapping.dmp