Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7 -
submitted
27-10-2020 03:59
Static task
static1
Behavioral task
behavioral1
Sample
b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
Resource
win10
General
-
Target
b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
-
Size
114KB
-
MD5
b33e8ce6a7035bee5c5472d5b870b68a
-
SHA1
783d08fe374f287a4e0412ed8b7f5446c6e65687
-
SHA256
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
-
SHA512
78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq1010@tutanota.com
akzhq1010@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 572 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UndoMount.tiff b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Loads dropped DLL 4 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exepid process 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1824 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe\"" b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription pid process target process PID 1524 set thread context of 1672 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1600 set thread context of 1552 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1476 set thread context of 296 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Drops file in Program Files directory 9752 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTS.ICO b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Common Files\System\msadc\handsafe.reg b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\CONCRETE.INF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14769_.GIF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp.[65AF3378].[akzhq1010@tutanota.com].makop b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_ON.GIF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Civic.eftx b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.[65AF3378].[akzhq1010@tutanota.com].makop b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00096_.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\El_Salvador b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART1.BDR b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216612.WMF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1968 vssadmin.exe -
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exepid process 1672 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exepid process 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1172 vssvc.exe Token: SeRestorePrivilege 1172 vssvc.exe Token: SeAuditPrivilege 1172 vssvc.exe Token: SeBackupPrivilege 336 wbengine.exe Token: SeRestorePrivilege 336 wbengine.exe Token: SeSecurityPrivilege 336 wbengine.exe Token: SeIncreaseQuotaPrivilege 1444 WMIC.exe Token: SeSecurityPrivilege 1444 WMIC.exe Token: SeTakeOwnershipPrivilege 1444 WMIC.exe Token: SeLoadDriverPrivilege 1444 WMIC.exe Token: SeSystemProfilePrivilege 1444 WMIC.exe Token: SeSystemtimePrivilege 1444 WMIC.exe Token: SeProfSingleProcessPrivilege 1444 WMIC.exe Token: SeIncBasePriorityPrivilege 1444 WMIC.exe Token: SeCreatePagefilePrivilege 1444 WMIC.exe Token: SeBackupPrivilege 1444 WMIC.exe Token: SeRestorePrivilege 1444 WMIC.exe Token: SeShutdownPrivilege 1444 WMIC.exe Token: SeDebugPrivilege 1444 WMIC.exe Token: SeSystemEnvironmentPrivilege 1444 WMIC.exe Token: SeRemoteShutdownPrivilege 1444 WMIC.exe Token: SeUndockPrivilege 1444 WMIC.exe Token: SeManageVolumePrivilege 1444 WMIC.exe Token: 33 1444 WMIC.exe Token: 34 1444 WMIC.exe Token: 35 1444 WMIC.exe Token: SeIncreaseQuotaPrivilege 1444 WMIC.exe Token: SeSecurityPrivilege 1444 WMIC.exe Token: SeTakeOwnershipPrivilege 1444 WMIC.exe Token: SeLoadDriverPrivilege 1444 WMIC.exe Token: SeSystemProfilePrivilege 1444 WMIC.exe Token: SeSystemtimePrivilege 1444 WMIC.exe Token: SeProfSingleProcessPrivilege 1444 WMIC.exe Token: SeIncBasePriorityPrivilege 1444 WMIC.exe Token: SeCreatePagefilePrivilege 1444 WMIC.exe Token: SeBackupPrivilege 1444 WMIC.exe Token: SeRestorePrivilege 1444 WMIC.exe Token: SeShutdownPrivilege 1444 WMIC.exe Token: SeDebugPrivilege 1444 WMIC.exe Token: SeSystemEnvironmentPrivilege 1444 WMIC.exe Token: SeRemoteShutdownPrivilege 1444 WMIC.exe Token: SeUndockPrivilege 1444 WMIC.exe Token: SeManageVolumePrivilege 1444 WMIC.exe Token: 33 1444 WMIC.exe Token: 34 1444 WMIC.exe Token: 35 1444 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.execmd.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription pid process target process PID 1524 wrote to memory of 1672 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1524 wrote to memory of 1672 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1524 wrote to memory of 1672 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1524 wrote to memory of 1672 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1524 wrote to memory of 1672 1524 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1672 wrote to memory of 1964 1672 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe cmd.exe PID 1672 wrote to memory of 1964 1672 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe cmd.exe PID 1672 wrote to memory of 1964 1672 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe cmd.exe PID 1672 wrote to memory of 1964 1672 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe cmd.exe PID 1964 wrote to memory of 1968 1964 cmd.exe vssadmin.exe PID 1964 wrote to memory of 1968 1964 cmd.exe vssadmin.exe PID 1964 wrote to memory of 1968 1964 cmd.exe vssadmin.exe PID 1964 wrote to memory of 572 1964 cmd.exe wbadmin.exe PID 1964 wrote to memory of 572 1964 cmd.exe wbadmin.exe PID 1964 wrote to memory of 572 1964 cmd.exe wbadmin.exe PID 1964 wrote to memory of 1444 1964 cmd.exe WMIC.exe PID 1964 wrote to memory of 1444 1964 cmd.exe WMIC.exe PID 1964 wrote to memory of 1444 1964 cmd.exe WMIC.exe PID 1600 wrote to memory of 1552 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1600 wrote to memory of 1552 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1600 wrote to memory of 1552 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1600 wrote to memory of 1552 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1600 wrote to memory of 1552 1600 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1476 wrote to memory of 296 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1476 wrote to memory of 296 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1476 wrote to memory of 296 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1476 wrote to memory of 296 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1476 wrote to memory of 296 1476 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n16723⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n16724⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n16723⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n16724⤵
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n16723⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\779389082MD5
3193cb09bfe289089ec7efa05e2a0c14
SHA14378a6f910e2bd0ace4300cd7b6732e8c6de66a0
SHA256fab176bc862f9b45df53cb4b3e9879c791f4d7de76ae26f5af3ffa422ba95881
SHA512d8f59879ebec353858031da62018b88f2670e1d9b44476b8416e692556f03e5a94161183653a2aab964dc31c50d0c474fd61d27939618874e923318ec2dfda13
-
C:\Users\Admin\AppData\Roaming\779389082MD5
40b7f298d30296864906d4e175ff9f43
SHA1349b60915d0ce78aacc57231ae1e0df151e20087
SHA2562448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4
SHA512ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7
-
\Users\Admin\AppData\Local\Temp\nsi6D93.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsn172A.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nso45F7.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsyCACF.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/296-17-0x00000000004059A0-mapping.dmp
-
memory/528-14-0x000007FEF6350000-0x000007FEF65CA000-memory.dmpFilesize
2.5MB
-
memory/572-7-0x0000000000000000-mapping.dmp
-
memory/1444-8-0x0000000000000000-mapping.dmp
-
memory/1552-11-0x00000000004059A0-mapping.dmp
-
memory/1672-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1672-2-0x00000000004059A0-mapping.dmp
-
memory/1672-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1964-4-0x0000000000000000-mapping.dmp
-
memory/1968-6-0x0000000000000000-mapping.dmp