Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
31-08-2020 14:41
Static task
static1
Behavioral task
behavioral1
Sample
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
Resource
win10
General
-
Target
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
-
Size
474KB
-
MD5
249baa1dbda4c346a96913ed7c17c77b
-
SHA1
e43cabc4d3968d62c22455c601885120453f226e
-
SHA256
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355
-
SHA512
4436be75bdfd3e59e3ab4132250490255c97b20c937400407adb73d199b4b9658ac1389327cdfa29ce44ad5e5c417b687d0a80fdb77baf49c632fd1dbd4cc615
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq808@tutanota.com
akzhq808@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 1268 created 688 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 created 688 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 created 688 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 created 688 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 2800 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\StartProtect.tiff 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Loads dropped DLL 5 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exepid process 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe\"" 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription pid process target process PID 3612 set thread context of 688 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1336 set thread context of 2208 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 2596 set thread context of 2404 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 256 set thread context of 1640 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1084 set thread context of 2572 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Drops file in Program Files directory 17749 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription ioc process File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6440_40x40x32.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\li_60x42.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-200.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\kb-locked.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\WideTile.scale-100.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\javafx.properties 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Classic.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nu_60x42.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7ce.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Arrow.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELM 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-100.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\BIEvents.xml 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-100.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\ConnectApprove.mov 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-200.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\ProjectionSpheric.scale-100.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\eu_16x11.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-200.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\ui-strings.js 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-200.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\readme-warning.txt 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-125.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_24x24x32.png 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1896 vssadmin.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 25b53344a47fd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exepid process 688 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 688 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exepid process 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
svchost.exesvchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 2084 svchost.exe Token: SeCreatePagefilePrivilege 2084 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeBackupPrivilege 2168 vssvc.exe Token: SeRestorePrivilege 2168 vssvc.exe Token: SeAuditPrivilege 2168 vssvc.exe Token: SeBackupPrivilege 4068 wbengine.exe Token: SeRestorePrivilege 4068 wbengine.exe Token: SeSecurityPrivilege 4068 wbengine.exe Token: SeIncreaseQuotaPrivilege 2432 WMIC.exe Token: SeSecurityPrivilege 2432 WMIC.exe Token: SeTakeOwnershipPrivilege 2432 WMIC.exe Token: SeLoadDriverPrivilege 2432 WMIC.exe Token: SeSystemProfilePrivilege 2432 WMIC.exe Token: SeSystemtimePrivilege 2432 WMIC.exe Token: SeProfSingleProcessPrivilege 2432 WMIC.exe Token: SeIncBasePriorityPrivilege 2432 WMIC.exe Token: SeCreatePagefilePrivilege 2432 WMIC.exe Token: SeBackupPrivilege 2432 WMIC.exe Token: SeRestorePrivilege 2432 WMIC.exe Token: SeShutdownPrivilege 2432 WMIC.exe Token: SeDebugPrivilege 2432 WMIC.exe Token: SeSystemEnvironmentPrivilege 2432 WMIC.exe Token: SeRemoteShutdownPrivilege 2432 WMIC.exe Token: SeUndockPrivilege 2432 WMIC.exe Token: SeManageVolumePrivilege 2432 WMIC.exe Token: 33 2432 WMIC.exe Token: 34 2432 WMIC.exe Token: 35 2432 WMIC.exe Token: 36 2432 WMIC.exe Token: SeIncreaseQuotaPrivilege 2432 WMIC.exe Token: SeSecurityPrivilege 2432 WMIC.exe Token: SeTakeOwnershipPrivilege 2432 WMIC.exe Token: SeLoadDriverPrivilege 2432 WMIC.exe Token: SeSystemProfilePrivilege 2432 WMIC.exe Token: SeSystemtimePrivilege 2432 WMIC.exe Token: SeProfSingleProcessPrivilege 2432 WMIC.exe Token: SeIncBasePriorityPrivilege 2432 WMIC.exe Token: SeCreatePagefilePrivilege 2432 WMIC.exe Token: SeBackupPrivilege 2432 WMIC.exe Token: SeRestorePrivilege 2432 WMIC.exe Token: SeShutdownPrivilege 2432 WMIC.exe Token: SeDebugPrivilege 2432 WMIC.exe Token: SeSystemEnvironmentPrivilege 2432 WMIC.exe Token: SeRemoteShutdownPrivilege 2432 WMIC.exe Token: SeUndockPrivilege 2432 WMIC.exe Token: SeManageVolumePrivilege 2432 WMIC.exe Token: 33 2432 WMIC.exe Token: 34 2432 WMIC.exe Token: 35 2432 WMIC.exe Token: 36 2432 WMIC.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exesvchost.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.execmd.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exedescription pid process target process PID 3612 wrote to memory of 688 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 3612 wrote to memory of 688 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 3612 wrote to memory of 688 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 3612 wrote to memory of 688 3612 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1336 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 688 wrote to memory of 1648 688 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe cmd.exe PID 688 wrote to memory of 1648 688 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe cmd.exe PID 1648 wrote to memory of 1896 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1896 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 2800 1648 cmd.exe wbadmin.exe PID 1648 wrote to memory of 2800 1648 cmd.exe wbadmin.exe PID 1648 wrote to memory of 2432 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 2432 1648 cmd.exe WMIC.exe PID 1336 wrote to memory of 2208 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1336 wrote to memory of 2208 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1336 wrote to memory of 2208 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1336 wrote to memory of 2208 1336 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 2596 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 2596 wrote to memory of 2404 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 2596 wrote to memory of 2404 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 2596 wrote to memory of 2404 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 2596 wrote to memory of 2404 2596 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 256 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 256 wrote to memory of 1640 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 256 wrote to memory of 1640 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 256 wrote to memory of 1640 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 256 wrote to memory of 1640 256 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1268 wrote to memory of 1084 1268 svchost.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1084 wrote to memory of 2572 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1084 wrote to memory of 2572 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1084 wrote to memory of 2572 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe PID 1084 wrote to memory of 2572 1084 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe 212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6884⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6884⤵
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6884⤵
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe"C:\Users\Admin\AppData\Local\Temp\212fda15138c362d0f7b8f5a2bf43cf8dca0030eee02f06cf2b0516325386355.exe" n6884⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
C:\Users\Admin\AppData\Local\Temp\644744872
-
\Users\Admin\AppData\Local\Temp\nseB567.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsf882.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsg3B55.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsi3083.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsr24E4.tmp\System.dll
-
memory/256-29-0x0000000000000000-mapping.dmp
-
memory/688-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/688-2-0x00000000004059A0-mapping.dmp
-
memory/688-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1084-37-0x0000000000000000-mapping.dmp
-
memory/1336-5-0x0000000000000000-mapping.dmp
-
memory/1640-34-0x00000000004059A0-mapping.dmp
-
memory/1648-6-0x0000000000000000-mapping.dmp
-
memory/1896-7-0x0000000000000000-mapping.dmp
-
memory/2208-14-0x00000000004059A0-mapping.dmp
-
memory/2404-26-0x00000000004059A0-mapping.dmp
-
memory/2432-11-0x0000000000000000-mapping.dmp
-
memory/2572-42-0x00000000004059A0-mapping.dmp
-
memory/2596-22-0x0000000000000000-mapping.dmp
-
memory/2800-10-0x0000000000000000-mapping.dmp