Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 03:59
Static task
static1
Behavioral task
behavioral1
Sample
b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
Resource
win10
General
-
Target
b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
-
Size
114KB
-
MD5
b33e8ce6a7035bee5c5472d5b870b68a
-
SHA1
783d08fe374f287a4e0412ed8b7f5446c6e65687
-
SHA256
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
-
SHA512
78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq1010@tutanota.com
akzhq1010@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
svchost.exedescription pid process target process PID 1232 created 3096 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 created 3096 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 created 3096 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 3936 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterSync.tiff b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Loads dropped DLL 4 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exepid process 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 2080 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe\"" b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription pid process target process PID 2212 set thread context of 3096 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1908 set thread context of 2956 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 3832 set thread context of 1924 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Drops file in Program Files directory 17795 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go-for_the_Gold_.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-256_contrast-white.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cat.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxSignature.p7x b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go_for_the_Silver_.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Default1.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-white.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ee_60x42.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-fullcolor.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_da_135x40.svg b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-100.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-200.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13s.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-256_altform-unplated.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\readme-warning.txt b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\FullScreen\FullScreen.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_2.jpg b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Connecting.m4a b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-100.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-B.Tests.ps1 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeTile.scale-100_contrast-black.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo b33e8ce6a7035bee5c5472d5b870b68a.vir.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2392 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exepid process 3096 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 3096 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exepid process 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 1232 svchost.exe Token: SeTcbPrivilege 1232 svchost.exe Token: SeBackupPrivilege 2592 vssvc.exe Token: SeRestorePrivilege 2592 vssvc.exe Token: SeAuditPrivilege 2592 vssvc.exe Token: SeBackupPrivilege 368 wbengine.exe Token: SeRestorePrivilege 368 wbengine.exe Token: SeSecurityPrivilege 368 wbengine.exe Token: SeIncreaseQuotaPrivilege 3836 WMIC.exe Token: SeSecurityPrivilege 3836 WMIC.exe Token: SeTakeOwnershipPrivilege 3836 WMIC.exe Token: SeLoadDriverPrivilege 3836 WMIC.exe Token: SeSystemProfilePrivilege 3836 WMIC.exe Token: SeSystemtimePrivilege 3836 WMIC.exe Token: SeProfSingleProcessPrivilege 3836 WMIC.exe Token: SeIncBasePriorityPrivilege 3836 WMIC.exe Token: SeCreatePagefilePrivilege 3836 WMIC.exe Token: SeBackupPrivilege 3836 WMIC.exe Token: SeRestorePrivilege 3836 WMIC.exe Token: SeShutdownPrivilege 3836 WMIC.exe Token: SeDebugPrivilege 3836 WMIC.exe Token: SeSystemEnvironmentPrivilege 3836 WMIC.exe Token: SeRemoteShutdownPrivilege 3836 WMIC.exe Token: SeUndockPrivilege 3836 WMIC.exe Token: SeManageVolumePrivilege 3836 WMIC.exe Token: 33 3836 WMIC.exe Token: 34 3836 WMIC.exe Token: 35 3836 WMIC.exe Token: 36 3836 WMIC.exe Token: SeIncreaseQuotaPrivilege 3836 WMIC.exe Token: SeSecurityPrivilege 3836 WMIC.exe Token: SeTakeOwnershipPrivilege 3836 WMIC.exe Token: SeLoadDriverPrivilege 3836 WMIC.exe Token: SeSystemProfilePrivilege 3836 WMIC.exe Token: SeSystemtimePrivilege 3836 WMIC.exe Token: SeProfSingleProcessPrivilege 3836 WMIC.exe Token: SeIncBasePriorityPrivilege 3836 WMIC.exe Token: SeCreatePagefilePrivilege 3836 WMIC.exe Token: SeBackupPrivilege 3836 WMIC.exe Token: SeRestorePrivilege 3836 WMIC.exe Token: SeShutdownPrivilege 3836 WMIC.exe Token: SeDebugPrivilege 3836 WMIC.exe Token: SeSystemEnvironmentPrivilege 3836 WMIC.exe Token: SeRemoteShutdownPrivilege 3836 WMIC.exe Token: SeUndockPrivilege 3836 WMIC.exe Token: SeManageVolumePrivilege 3836 WMIC.exe Token: 33 3836 WMIC.exe Token: 34 3836 WMIC.exe Token: 35 3836 WMIC.exe Token: 36 3836 WMIC.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
b33e8ce6a7035bee5c5472d5b870b68a.vir.exesvchost.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.execmd.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exeb33e8ce6a7035bee5c5472d5b870b68a.vir.exedescription pid process target process PID 2212 wrote to memory of 3096 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 2212 wrote to memory of 3096 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 2212 wrote to memory of 3096 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 2212 wrote to memory of 3096 2212 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 1908 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 3096 wrote to memory of 1968 3096 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe cmd.exe PID 3096 wrote to memory of 1968 3096 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe cmd.exe PID 1968 wrote to memory of 2392 1968 cmd.exe vssadmin.exe PID 1968 wrote to memory of 2392 1968 cmd.exe vssadmin.exe PID 1968 wrote to memory of 3936 1968 cmd.exe wbadmin.exe PID 1968 wrote to memory of 3936 1968 cmd.exe wbadmin.exe PID 1968 wrote to memory of 3836 1968 cmd.exe WMIC.exe PID 1968 wrote to memory of 3836 1968 cmd.exe WMIC.exe PID 1908 wrote to memory of 2956 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1908 wrote to memory of 2956 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1908 wrote to memory of 2956 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1908 wrote to memory of 2956 1908 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 3832 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 3832 wrote to memory of 1924 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 3832 wrote to memory of 1924 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 3832 wrote to memory of 1924 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 3832 wrote to memory of 1924 3832 b33e8ce6a7035bee5c5472d5b870b68a.vir.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe PID 1232 wrote to memory of 2080 1232 svchost.exe b33e8ce6a7035bee5c5472d5b870b68a.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n30963⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n30964⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n30963⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n30964⤵
-
C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe"C:\Users\Admin\AppData\Local\Temp\b33e8ce6a7035bee5c5472d5b870b68a.vir.exe" n30963⤵
- Loads dropped DLL
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\779389082MD5
40b7f298d30296864906d4e175ff9f43
SHA1349b60915d0ce78aacc57231ae1e0df151e20087
SHA2562448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4
SHA512ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7
-
C:\Users\Admin\AppData\Roaming\779389082MD5
f39b90747e32264881cea9dcc0300eab
SHA13e4f50951b61af80c87478a25e967abdbd27afe3
SHA256f7cb7c8c52ac683a05b7c2d8d51d6dd888309acaa2c56ee124321192a6aaf3c5
SHA5121fe91fe61edcde5651a4d6f78000e922bc5c523a69638456d0cfaf67ed36146e86b3bd25473699c08ddf7564a6c2c61d6f98ea2b7b5c989a8feea52acd2194a5
-
\Users\Admin\AppData\Local\Temp\nsbB9DC.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsd10A0.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsd6894.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsq3891.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/1908-5-0x0000000000000000-mapping.dmp
-
memory/1924-20-0x00000000004059A0-mapping.dmp
-
memory/1968-6-0x0000000000000000-mapping.dmp
-
memory/2080-23-0x0000000000000000-mapping.dmp
-
memory/2392-8-0x0000000000000000-mapping.dmp
-
memory/2956-13-0x00000000004059A0-mapping.dmp
-
memory/3096-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3096-2-0x00000000004059A0-mapping.dmp
-
memory/3096-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3832-17-0x0000000000000000-mapping.dmp
-
memory/3836-10-0x0000000000000000-mapping.dmp
-
memory/3936-9-0x0000000000000000-mapping.dmp