Analysis
-
max time kernel
124s -
max time network
96s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-07-2020 05:47
Static task
static1
Behavioral task
behavioral1
Sample
_______200728(_____ __ __ ________ ________).exe
Resource
win7
Behavioral task
behavioral2
Sample
_______200728(_____ __ __ ________ ________).exe
Resource
win10v200722
General
-
Target
_______200728(_____ __ __ ________ ________).exe
-
Size
142KB
-
MD5
88e86bec16a339b6eb5ede18f383ffd9
-
SHA1
91e79df0e7b60a9f58f068f5eacb1e1b32419e40
-
SHA256
801384c781c364acdc61e60e5b120359cb4617a42da8155123f3a0381a56495a
-
SHA512
3cd8291b6ed8ed94b3c523ef43fd31b155f62547dadf2d4810d06696af5e616aa5f454dd3a0cfa9ff6025890dcd4998966a539257158f43da764b7ff767dfd93
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq725@tutanota.com
akzhq725@cock.li
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
_______200728(_____ __ __ ________ ________).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\_______200728(_____ __ __ ________ ________).exe\"" _______200728(_____ __ __ ________ ________).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 376 vssadmin.exe -
Drops file in Program Files directory 17736 IoCs
Processes:
_______200728(_____ __ __ ________ ________).exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png _______200728(_____ __ __ ________ ________).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\readme-warning.txt _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.scale-100.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-200.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELM _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-200.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-hover.svg _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\tzdb.dat _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ht_16x11.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg _______200728(_____ __ __ ________ ________).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\readme-warning.txt _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-64.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ui-strings.js _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_PT-BR.respack _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\ShowLeaderboardButton.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logo.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\AppxManifest.xml _______200728(_____ __ __ ________ ________).exe File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\readme-warning.txt _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-80_contrast-black.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-200.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\skype.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Icons\tripeaks.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-200_contrast-black.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css _______200728(_____ __ __ ________ ________).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\readme-warning.txt _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-125.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1 _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-200.png _______200728(_____ __ __ ________ ________).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\readme-warning.txt _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1 _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-300.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png _______200728(_____ __ __ ________ ________).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\readme-warning.txt _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\xs_16x11.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-96_altform-unplated.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8576_32x32x32.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Delete.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-fullcolor.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2_20x20x32.png _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main-selector.css _______200728(_____ __ __ ________ ________).exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
svchost.exe_______200728(_____ __ __ ________ ________).execmd.exedescription pid process target process PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 576 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 4040 wrote to memory of 900 4040 _______200728(_____ __ __ ________ ________).exe cmd.exe PID 4040 wrote to memory of 900 4040 _______200728(_____ __ __ ________ ________).exe cmd.exe PID 900 wrote to memory of 376 900 cmd.exe vssadmin.exe PID 900 wrote to memory of 376 900 cmd.exe vssadmin.exe PID 900 wrote to memory of 1644 900 cmd.exe wbadmin.exe PID 900 wrote to memory of 1644 900 cmd.exe wbadmin.exe PID 900 wrote to memory of 2672 900 cmd.exe WMIC.exe PID 900 wrote to memory of 2672 900 cmd.exe WMIC.exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 wrote to memory of 2776 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
_______200728(_____ __ __ ________ ________).exedescription ioc process File opened for modification C:\Users\Admin\Pictures\NewLimit.tiff _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Users\Admin\Pictures\SelectEnter.tiff _______200728(_____ __ __ ________ ________).exe File opened for modification C:\Users\Admin\Pictures\TraceRemove.tiff _______200728(_____ __ __ ________ ________).exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
_______200728(_____ __ __ ________ ________).exepid process 4040 _______200728(_____ __ __ ________ ________).exe 4040 _______200728(_____ __ __ ________ ________).exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 3016 svchost.exe Token: SeTcbPrivilege 3016 svchost.exe Token: SeBackupPrivilege 1112 vssvc.exe Token: SeRestorePrivilege 1112 vssvc.exe Token: SeAuditPrivilege 1112 vssvc.exe Token: SeBackupPrivilege 1880 wbengine.exe Token: SeRestorePrivilege 1880 wbengine.exe Token: SeSecurityPrivilege 1880 wbengine.exe Token: SeIncreaseQuotaPrivilege 2672 WMIC.exe Token: SeSecurityPrivilege 2672 WMIC.exe Token: SeTakeOwnershipPrivilege 2672 WMIC.exe Token: SeLoadDriverPrivilege 2672 WMIC.exe Token: SeSystemProfilePrivilege 2672 WMIC.exe Token: SeSystemtimePrivilege 2672 WMIC.exe Token: SeProfSingleProcessPrivilege 2672 WMIC.exe Token: SeIncBasePriorityPrivilege 2672 WMIC.exe Token: SeCreatePagefilePrivilege 2672 WMIC.exe Token: SeBackupPrivilege 2672 WMIC.exe Token: SeRestorePrivilege 2672 WMIC.exe Token: SeShutdownPrivilege 2672 WMIC.exe Token: SeDebugPrivilege 2672 WMIC.exe Token: SeSystemEnvironmentPrivilege 2672 WMIC.exe Token: SeRemoteShutdownPrivilege 2672 WMIC.exe Token: SeUndockPrivilege 2672 WMIC.exe Token: SeManageVolumePrivilege 2672 WMIC.exe Token: 33 2672 WMIC.exe Token: 34 2672 WMIC.exe Token: 35 2672 WMIC.exe Token: 36 2672 WMIC.exe Token: SeIncreaseQuotaPrivilege 2672 WMIC.exe Token: SeSecurityPrivilege 2672 WMIC.exe Token: SeTakeOwnershipPrivilege 2672 WMIC.exe Token: SeLoadDriverPrivilege 2672 WMIC.exe Token: SeSystemProfilePrivilege 2672 WMIC.exe Token: SeSystemtimePrivilege 2672 WMIC.exe Token: SeProfSingleProcessPrivilege 2672 WMIC.exe Token: SeIncBasePriorityPrivilege 2672 WMIC.exe Token: SeCreatePagefilePrivilege 2672 WMIC.exe Token: SeBackupPrivilege 2672 WMIC.exe Token: SeRestorePrivilege 2672 WMIC.exe Token: SeShutdownPrivilege 2672 WMIC.exe Token: SeDebugPrivilege 2672 WMIC.exe Token: SeSystemEnvironmentPrivilege 2672 WMIC.exe Token: SeRemoteShutdownPrivilege 2672 WMIC.exe Token: SeUndockPrivilege 2672 WMIC.exe Token: SeManageVolumePrivilege 2672 WMIC.exe Token: 33 2672 WMIC.exe Token: 34 2672 WMIC.exe Token: 35 2672 WMIC.exe Token: 36 2672 WMIC.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 3016 created 4040 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe PID 3016 created 4040 3016 svchost.exe _______200728(_____ __ __ ________ ________).exe -
Processes:
wbadmin.exepid process 1644 wbadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\_______200728(_____ __ __ ________ ________).exe"C:\Users\Admin\AppData\Local\Temp\_______200728(_____ __ __ ________ ________).exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\_______200728(_____ __ __ ________ ________).exe"C:\Users\Admin\AppData\Local\Temp\_______200728(_____ __ __ ________ ________).exe" n40402⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\_______200728(_____ __ __ ________ ________).exe"C:\Users\Admin\AppData\Local\Temp\_______200728(_____ __ __ ________ ________).exe" n40402⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/376-4-0x0000000000000000-mapping.dmp
-
memory/576-2-0x0000000000000000-mapping.dmp
-
memory/576-5-0x000000000342B000-0x000000000342D000-memory.dmpFilesize
8KB
-
memory/576-6-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/900-3-0x0000000000000000-mapping.dmp
-
memory/1644-7-0x0000000000000000-mapping.dmp
-
memory/2672-8-0x0000000000000000-mapping.dmp
-
memory/2776-10-0x0000000000000000-mapping.dmp
-
memory/2776-11-0x000000000344C000-0x000000000344D000-memory.dmpFilesize
4KB
-
memory/2776-12-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/4040-0-0x00000000034B6000-0x00000000034B7000-memory.dmpFilesize
4KB
-
memory/4040-1-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB