Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-08-2020 14:41
Static task
static1
Behavioral task
behavioral1
Sample
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
Resource
win10
General
-
Target
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
-
Size
474KB
-
MD5
249baa1dbda4c346a96913ed7c17c77b
-
SHA1
e43cabc4d3968d62c22455c601885120453f226e
-
SHA256
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355
-
SHA512
4436be75bdfd3e59e3ab4132250490255c97b20c937400407adb73d199b4b9658ac1389327cdfa29ce44ad5e5c417b687d0a80fdb77baf49c632fd1dbd4cc615
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq808@tutanota.com
akzhq808@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1976 wbadmin.exe -
Loads dropped DLL 4 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exepid process 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe\"" 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription pid process target process PID 1480 set thread context of 1400 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 324 set thread context of 1748 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1580 set thread context of 1504 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1816 set thread context of 928 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Drops file in Program Files directory 9747 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.ELM 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\WMPDMCCore.dll.mui 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSACCESS_COL.HXT 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152894.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts2.css 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files\Microsoft Office\Office14\OneNote\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\RemoveUpdate.vsdx 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif.[BD7F8AD9].[akzhq808@tutanota.com].makop 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\MP00646_.WMF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1600 vssadmin.exe -
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exepid process 1400 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exepid process 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1620 vssvc.exe Token: SeRestorePrivilege 1620 vssvc.exe Token: SeAuditPrivilege 1620 vssvc.exe Token: SeBackupPrivilege 1372 wbengine.exe Token: SeRestorePrivilege 1372 wbengine.exe Token: SeSecurityPrivilege 1372 wbengine.exe Token: SeIncreaseQuotaPrivilege 1460 WMIC.exe Token: SeSecurityPrivilege 1460 WMIC.exe Token: SeTakeOwnershipPrivilege 1460 WMIC.exe Token: SeLoadDriverPrivilege 1460 WMIC.exe Token: SeSystemProfilePrivilege 1460 WMIC.exe Token: SeSystemtimePrivilege 1460 WMIC.exe Token: SeProfSingleProcessPrivilege 1460 WMIC.exe Token: SeIncBasePriorityPrivilege 1460 WMIC.exe Token: SeCreatePagefilePrivilege 1460 WMIC.exe Token: SeBackupPrivilege 1460 WMIC.exe Token: SeRestorePrivilege 1460 WMIC.exe Token: SeShutdownPrivilege 1460 WMIC.exe Token: SeDebugPrivilege 1460 WMIC.exe Token: SeSystemEnvironmentPrivilege 1460 WMIC.exe Token: SeRemoteShutdownPrivilege 1460 WMIC.exe Token: SeUndockPrivilege 1460 WMIC.exe Token: SeManageVolumePrivilege 1460 WMIC.exe Token: 33 1460 WMIC.exe Token: 34 1460 WMIC.exe Token: 35 1460 WMIC.exe Token: SeIncreaseQuotaPrivilege 1460 WMIC.exe Token: SeSecurityPrivilege 1460 WMIC.exe Token: SeTakeOwnershipPrivilege 1460 WMIC.exe Token: SeLoadDriverPrivilege 1460 WMIC.exe Token: SeSystemProfilePrivilege 1460 WMIC.exe Token: SeSystemtimePrivilege 1460 WMIC.exe Token: SeProfSingleProcessPrivilege 1460 WMIC.exe Token: SeIncBasePriorityPrivilege 1460 WMIC.exe Token: SeCreatePagefilePrivilege 1460 WMIC.exe Token: SeBackupPrivilege 1460 WMIC.exe Token: SeRestorePrivilege 1460 WMIC.exe Token: SeShutdownPrivilege 1460 WMIC.exe Token: SeDebugPrivilege 1460 WMIC.exe Token: SeSystemEnvironmentPrivilege 1460 WMIC.exe Token: SeRemoteShutdownPrivilege 1460 WMIC.exe Token: SeUndockPrivilege 1460 WMIC.exe Token: SeManageVolumePrivilege 1460 WMIC.exe Token: 33 1460 WMIC.exe Token: 34 1460 WMIC.exe Token: 35 1460 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.execmd.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription pid process target process PID 1480 wrote to memory of 1400 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1480 wrote to memory of 1400 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1480 wrote to memory of 1400 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1480 wrote to memory of 1400 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1480 wrote to memory of 1400 1480 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1400 wrote to memory of 816 1400 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe cmd.exe PID 1400 wrote to memory of 816 1400 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe cmd.exe PID 1400 wrote to memory of 816 1400 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe cmd.exe PID 1400 wrote to memory of 816 1400 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe cmd.exe PID 816 wrote to memory of 1600 816 cmd.exe vssadmin.exe PID 816 wrote to memory of 1600 816 cmd.exe vssadmin.exe PID 816 wrote to memory of 1600 816 cmd.exe vssadmin.exe PID 816 wrote to memory of 1976 816 cmd.exe wbadmin.exe PID 816 wrote to memory of 1976 816 cmd.exe wbadmin.exe PID 816 wrote to memory of 1976 816 cmd.exe wbadmin.exe PID 816 wrote to memory of 1460 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1460 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1460 816 cmd.exe WMIC.exe PID 324 wrote to memory of 1748 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 324 wrote to memory of 1748 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 324 wrote to memory of 1748 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 324 wrote to memory of 1748 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 324 wrote to memory of 1748 324 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1580 wrote to memory of 1504 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1580 wrote to memory of 1504 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1580 wrote to memory of 1504 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1580 wrote to memory of 1504 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1580 wrote to memory of 1504 1580 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1816 wrote to memory of 928 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1816 wrote to memory of 928 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1816 wrote to memory of 928 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1816 wrote to memory of 928 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1816 wrote to memory of 928 1816 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n14003⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n14004⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n14003⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n14004⤵
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n14003⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n14004⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
\??\PIPE\wkssvc
-
\Users\Admin\AppData\Local\Temp\nsd30B2.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsiAE79.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsiCE29.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsjAE0C.tmp\System.dll
-
memory/816-4-0x0000000000000000-mapping.dmp
-
memory/928-24-0x00000000004059A0-mapping.dmp
-
memory/1180-14-0x000007FEF76E0000-0x000007FEF795A000-memory.dmpFilesize
2.5MB
-
memory/1400-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1400-2-0x00000000004059A0-mapping.dmp
-
memory/1400-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1460-9-0x0000000000000000-mapping.dmp
-
memory/1504-18-0x00000000004059A0-mapping.dmp
-
memory/1600-5-0x0000000000000000-mapping.dmp
-
memory/1748-12-0x00000000004059A0-mapping.dmp
-
memory/1976-8-0x0000000000000000-mapping.dmp