buran | 15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50

General

Target

Aksip.bin.exe
Size

344KB
MD5

61506482ddd28756e443b3de05a3b1cf
SHA1

8d7effb5a456289d13f725486a30bed727a01be0
SHA256

15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
SHA512

18a7178209e6e9edd15e22c97ad15b049370fe457fcec815fe702d75514014460f80326e3a4ae6ca496582467c57398cdb250bf826b76e62bf2c56e1f38efe46

Score

10^/10

ransomware buran persistence

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: msupport2019@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: msupport2019@protonmail.com Reserved email: msupport@elude.in Your personal ID: 1A4-8A1-A5A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

msupport2019@protonmail.com

msupport@elude.in

Signatures

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	ioc
3	geoiptool.com

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Aksip.bin.exelsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Aksip.bin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Aksip.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Aksip.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aksip.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aksip.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aksip.bin.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Aksip.bin.exelsass.execmd.execmd.exe

description	pid	process	target process
PID 1000 wrote to memory of 1172	1000	Aksip.bin.exe	lsass.exe
PID 1000 wrote to memory of 1172	1000	Aksip.bin.exe	lsass.exe
PID 1000 wrote to memory of 1172	1000	Aksip.bin.exe	lsass.exe
PID 1000 wrote to memory of 1172	1000	Aksip.bin.exe	lsass.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1000 wrote to memory of 1880	1000	Aksip.bin.exe	notepad.exe
PID 1172 wrote to memory of 1612	1172	lsass.exe	lsass.exe
PID 1172 wrote to memory of 1612	1172	lsass.exe	lsass.exe
PID 1172 wrote to memory of 1612	1172	lsass.exe	lsass.exe
PID 1172 wrote to memory of 1612	1172	lsass.exe	lsass.exe
PID 1172 wrote to memory of 1588	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1588	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1588	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1588	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1636	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1636	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1636	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1636	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1976	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1976	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1976	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1976	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1940	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1940	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1940	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1940	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 2032	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 2032	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 2032	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 2032	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1996	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1996	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1996	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1996	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1456	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1456	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1456	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1456	1172	lsass.exe	cmd.exe
PID 1456 wrote to memory of 480	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 480	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 480	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 480	1456	cmd.exe	WMIC.exe
PID 1172 wrote to memory of 1052	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1052	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1052	1172	lsass.exe	cmd.exe
PID 1172 wrote to memory of 1052	1172	lsass.exe	cmd.exe
PID 1052 wrote to memory of 1104	1052	cmd.exe	vssadmin.exe
PID 1052 wrote to memory of 1104	1052	cmd.exe	vssadmin.exe
PID 1052 wrote to memory of 1104	1052	cmd.exe	vssadmin.exe
PID 1052 wrote to memory of 1104	1052	cmd.exe	vssadmin.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe
PID 1172 wrote to memory of 1248	1172	lsass.exe	notepad.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

Aksip.bin.exelsass.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1000	Aksip.bin.exe
Token: SeDebugPrivilege	1000	Aksip.bin.exe
Token: SeDebugPrivilege	1172	lsass.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemProfilePrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeProfSingleProcessPrivilege	480	WMIC.exe
Token: SeIncBasePriorityPrivilege	480	WMIC.exe
Token: SeCreatePagefilePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeDebugPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeRemoteShutdownPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: 33	480	WMIC.exe
Token: 34	480	WMIC.exe
Token: 35	480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemProfilePrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeProfSingleProcessPrivilege	480	WMIC.exe
Token: SeIncBasePriorityPrivilege	480	WMIC.exe
Token: SeCreatePagefilePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeDebugPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeRemoteShutdownPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: 33	480	WMIC.exe
Token: 34	480	WMIC.exe
Token: 35	480	WMIC.exe
Token: SeBackupPrivilege	1680	vssvc.exe
Token: SeRestorePrivilege	1680	vssvc.exe
Token: SeAuditPrivilege	1680	vssvc.exe
Token: SeDebugPrivilege	1172	lsass.exe
Token: SeDebugPrivilege	1172	lsass.exe

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Aksip.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	Aksip.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	Aksip.bin.exe

Loads dropped DLL 2 IoCs

Processes:

Aksip.bin.exe

pid process

1000 Aksip.bin.exe
1000 Aksip.bin.exe
Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid process

1172 lsass.exe
1612 lsass.exe

pid	process
1000	Aksip.bin.exe
1000	Aksip.bin.exe

pid	process
1172	lsass.exe
1612	lsass.exe

Drops file in Program Files directory 15796 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF.1A4-8A1-A5A	lsass.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00231_.WMF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15021_.GIF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKDECS.ICO	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSPUB.EXE.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\ONELEV.EXE.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar	lsass.exe
File created	C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Students.accdt	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE06450_.WMF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\INFOMS.ICO	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR37F.GIF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV11.POC	lsass.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\.zeppelin	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0090390.WMF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File created	C:\Program Files\.zeppelin	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IPIRM.XML.1A4-8A1-A5A	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF.1A4-8A1-A5A	lsass.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1880 notepad.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1104 vssadmin.exe

pid	process
1880	notepad.exe

pid	process
1104	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Aksip.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Aksip.bin.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Loads dropped DLL
PID:1000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1104

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1248

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAP7GNEB\SAECS561.htm

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UJFO0ABC\S18E8TDX.htm

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Download Submit
C:\Users\Admin\Desktop\ApproveSelect.dwfx.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\CompressMeasure.search-ms.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\DisableUninstall.emf.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\EnterFormat.ppsx.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\ExpandSet.jpg.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\FindInvoke.mp3.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\InvokeRepair.dxf.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\LockDisable.odt.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\MountGroup.xla.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\OpenImport.mov.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\ReceivePush.docm.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\ResetPop.txt.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\RestoreClose.ps1.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\SaveDeny.bmp.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\SelectRemove.ttc.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\SetRestart.vsw.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\SuspendRestore.docm.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\TestUnlock.MOD.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\WaitInitialize.crw.1A4-8A1-A5A

Download Submit
C:\Users\Admin\Desktop\WatchUnblock.mpg.1A4-8A1-A5A

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Download Submit
memory/480-30-0x0000000000000000-mapping.dmp

Download
memory/1000-1-0x0000000001D80000-0x0000000001D91000-memory.dmp

Filesize
68KB

Download
memory/1000-0-0x000000000070B000-0x000000000070C000-memory.dmp

Filesize
4KB

Download
memory/1052-31-0x0000000000000000-mapping.dmp

Download
memory/1104-32-0x0000000000000000-mapping.dmp

Download
memory/1172-7-0x000000000066B000-0x000000000066C000-memory.dmp

Filesize
4KB

Download
memory/1172-8-0x0000000001EE0000-0x0000000001EF1000-memory.dmp

Filesize
68KB

Download
memory/1172-4-0x0000000000000000-mapping.dmp

Download
memory/1248-53-0x0000000000000000-mapping.dmp

Download
memory/1456-29-0x0000000000000000-mapping.dmp

Download
memory/1588-21-0x0000000000000000-mapping.dmp

Download
memory/1612-19-0x0000000000000000-mapping.dmp

Download
memory/1612-25-0x0000000001FC0000-0x0000000001FD1000-memory.dmp

Filesize
68KB

Download
memory/1612-24-0x000000000065B000-0x000000000065C000-memory.dmp

Filesize
4KB

Download
memory/1636-22-0x0000000000000000-mapping.dmp

Download
memory/1880-6-0x0000000000000000-mapping.dmp

Download
memory/1940-26-0x0000000000000000-mapping.dmp

Download
memory/1976-23-0x0000000000000000-mapping.dmp

Download
memory/1996-28-0x0000000000000000-mapping.dmp

Download
memory/2032-27-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads