Analysis
-
max time kernel
96s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Resource
win10v20201028
General
-
Target
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
-
Size
212KB
-
MD5
dea4027a50377c42ea9007e008dd345d
-
SHA1
bb90e3e7983d27859727418d84a406b0da069560
-
SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
-
SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
serioussam@firemail.cc
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 1280 services.exe 1760 services.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1324 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exepid process 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\U: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\T: services.exe -
Drops file in Program Files directory 64 IoCs
Processes:
services.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298897.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg services.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip services.exe File opened for modification C:\Program Files\7-Zip\7z.sfx.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF services.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF.736-6D8-540 services.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03470_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01563_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.736-6D8-540 services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN097.XML services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID services.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF.736-6D8-540 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18229_.WMF services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 864 vssadmin.exe 1188 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe Token: SeDebugPrivilege 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe Token: SeIncreaseQuotaPrivilege 912 WMIC.exe Token: SeSecurityPrivilege 912 WMIC.exe Token: SeTakeOwnershipPrivilege 912 WMIC.exe Token: SeLoadDriverPrivilege 912 WMIC.exe Token: SeSystemProfilePrivilege 912 WMIC.exe Token: SeSystemtimePrivilege 912 WMIC.exe Token: SeProfSingleProcessPrivilege 912 WMIC.exe Token: SeIncBasePriorityPrivilege 912 WMIC.exe Token: SeCreatePagefilePrivilege 912 WMIC.exe Token: SeBackupPrivilege 912 WMIC.exe Token: SeRestorePrivilege 912 WMIC.exe Token: SeShutdownPrivilege 912 WMIC.exe Token: SeDebugPrivilege 912 WMIC.exe Token: SeSystemEnvironmentPrivilege 912 WMIC.exe Token: SeRemoteShutdownPrivilege 912 WMIC.exe Token: SeUndockPrivilege 912 WMIC.exe Token: SeManageVolumePrivilege 912 WMIC.exe Token: 33 912 WMIC.exe Token: 34 912 WMIC.exe Token: 35 912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeBackupPrivilege 1272 vssvc.exe Token: SeRestorePrivilege 1272 vssvc.exe Token: SeAuditPrivilege 1272 vssvc.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 1584 wrote to memory of 1280 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 1584 wrote to memory of 1280 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 1584 wrote to memory of 1280 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 1584 wrote to memory of 1280 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1584 wrote to memory of 1324 1584 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 1280 wrote to memory of 308 1280 services.exe cmd.exe PID 1280 wrote to memory of 308 1280 services.exe cmd.exe PID 1280 wrote to memory of 308 1280 services.exe cmd.exe PID 1280 wrote to memory of 308 1280 services.exe cmd.exe PID 1280 wrote to memory of 1060 1280 services.exe cmd.exe PID 1280 wrote to memory of 1060 1280 services.exe cmd.exe PID 1280 wrote to memory of 1060 1280 services.exe cmd.exe PID 1280 wrote to memory of 1060 1280 services.exe cmd.exe PID 1280 wrote to memory of 572 1280 services.exe cmd.exe PID 1280 wrote to memory of 572 1280 services.exe cmd.exe PID 1280 wrote to memory of 572 1280 services.exe cmd.exe PID 1280 wrote to memory of 572 1280 services.exe cmd.exe PID 1280 wrote to memory of 304 1280 services.exe cmd.exe PID 1280 wrote to memory of 304 1280 services.exe cmd.exe PID 1280 wrote to memory of 304 1280 services.exe cmd.exe PID 1280 wrote to memory of 304 1280 services.exe cmd.exe PID 1280 wrote to memory of 1812 1280 services.exe cmd.exe PID 1280 wrote to memory of 1812 1280 services.exe cmd.exe PID 1280 wrote to memory of 1812 1280 services.exe cmd.exe PID 1280 wrote to memory of 1812 1280 services.exe cmd.exe PID 1280 wrote to memory of 1624 1280 services.exe cmd.exe PID 1280 wrote to memory of 1624 1280 services.exe cmd.exe PID 1280 wrote to memory of 1624 1280 services.exe cmd.exe PID 1280 wrote to memory of 1624 1280 services.exe cmd.exe PID 1280 wrote to memory of 1760 1280 services.exe services.exe PID 1280 wrote to memory of 1760 1280 services.exe services.exe PID 1280 wrote to memory of 1760 1280 services.exe services.exe PID 1280 wrote to memory of 1760 1280 services.exe services.exe PID 1812 wrote to memory of 864 1812 cmd.exe vssadmin.exe PID 1812 wrote to memory of 864 1812 cmd.exe vssadmin.exe PID 1812 wrote to memory of 864 1812 cmd.exe vssadmin.exe PID 1812 wrote to memory of 864 1812 cmd.exe vssadmin.exe PID 1624 wrote to memory of 1772 1624 cmd.exe WMIC.exe PID 1624 wrote to memory of 1772 1624 cmd.exe WMIC.exe PID 1624 wrote to memory of 1772 1624 cmd.exe WMIC.exe PID 1624 wrote to memory of 1772 1624 cmd.exe WMIC.exe PID 308 wrote to memory of 912 308 cmd.exe WMIC.exe PID 308 wrote to memory of 912 308 cmd.exe WMIC.exe PID 308 wrote to memory of 912 308 cmd.exe WMIC.exe PID 308 wrote to memory of 912 308 cmd.exe WMIC.exe PID 1624 wrote to memory of 1188 1624 cmd.exe vssadmin.exe PID 1624 wrote to memory of 1188 1624 cmd.exe vssadmin.exe PID 1624 wrote to memory of 1188 1624 cmd.exe vssadmin.exe PID 1624 wrote to memory of 1188 1624 cmd.exe vssadmin.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe PID 1280 wrote to memory of 676 1280 services.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe"C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
C:\Users\Admin\Desktop\AssertShow.mpeg3.736-6D8-540MD5
ac1c9da0fa4bfb80e6b145480286a51f
SHA171335cf22e5519cc3f4e194009b1e119094f2764
SHA256d0306c0ee73a865d899f42a6763b4b25de8aa1e87da333440a0d4243a662276c
SHA512edf50c152074a51aca55f30f90327d6f02ced8deb3fe1a94746434abbc8c8e9383988bbf0abc3154610df261593e7aca3d52c9df6a426c53a0e23fd8bb836d15
-
C:\Users\Admin\Desktop\ConnectDisconnect.jpeg.736-6D8-540MD5
eb547f41d1998976606713776853421c
SHA1c828d3c5026a22c1dfb07fafd131369afb517efe
SHA25634f291bccc1b314e3e5514d792c73da5d8dca9aa22e29d21f4c075afe5acd814
SHA51292501218f7b85ea886a36c80bd44eb7fc3e8427566bb3e815ab8a7c13f681272bcac5df3ee93669ba68a6f32fbc10512765b2afc88f110a23837dad7294cc882
-
C:\Users\Admin\Desktop\ConnectTest.mht.736-6D8-540MD5
1db9932afa3d6dc69bac7ff99bc0e4e1
SHA10a2bf9e1e400f60d15c491c94a20e12c02330b31
SHA2567f914dc94a63428b9db5f7bb6317d299b889c7a0fccfeb9d26c0f2de2b0c0d3f
SHA5121d4cece5d8abe2de76295bd758165b6052258ea34b3f22aa7441b026ca46aa5a42795578b13d8bf017583765303accb481c8fd9a9837518c492c64fc35771f03
-
C:\Users\Admin\Desktop\ConvertToPush.rm.736-6D8-540MD5
a5806f4de8ff875114ca47740901dd67
SHA1ad71d0252f736e483f2195c37ce80b76bdf0977a
SHA256fe94b2c88341c173ec17d6970a8a2d8e7a711cc8b002ad865e4b6bdde597cf32
SHA512604e12346ee53624721e7f3c9aa5a25b0fc5cff8ad2849155288ffefadbb9d3a09aa864768babefab6b1f9aeae8fe2e93e7a81950ac86c8322c78fe9fa8ab3a0
-
C:\Users\Admin\Desktop\DisableRestart.jtx.736-6D8-540MD5
1cff23843e16a02490fd7cee48abfe0c
SHA181be84e61eebff7deb20d87a601d896e31b72bc4
SHA2563be5288b3289958186d600f130fa5acefa1faccc74645705389dae7b423950a5
SHA512a2015d7e8bce27db57de665cb58401da4f76f2516acf736bce25a96b992e234102e2a1badff98d42c040156ff6ee844a22931c792eeffba6ff8b540c718755bd
-
C:\Users\Admin\Desktop\ExpandSuspend.xps.736-6D8-540MD5
8228393bf55b2a0375f8620607d47f00
SHA1627cc241c916361944d390284640356b9e09044f
SHA256c9bbc115e3b332e177e2b02cd8ba4e40889bfd88895475b25a0af66d576bf36a
SHA512fb2f6331fcafa2b3dc2e5a5e557b7e41b08e74ab5ce7db9d4d7a58231cac082d853f74744b80e715d359db87b99489cafdff8c8f16922ebdb4b16aae6c0e52de
-
C:\Users\Admin\Desktop\InitializeCheckpoint.au3.736-6D8-540MD5
48e4c73fcbe91efb260ed59247ee8913
SHA10a175eb9be3779a020101885820d1f4d1ae2200c
SHA2567938b99caf1b3747af7ff8716f206d3a85b765e122fafb1cb7083a97830219c0
SHA5122271571016651d4b3869ae174c2eb5e0fdf5e727d9afdbaa70d770c23a51b599ca3a63dfaf49396901ec02ec08257d8fd28568139a8281b4e31dcf585e7312a9
-
C:\Users\Admin\Desktop\JoinMerge.M2T.736-6D8-540MD5
01a7a61d008ec124791eaff446f7d628
SHA17170a01b103f983e771079cb2b3cd40bf1b8b3e0
SHA25611c01923177fcf2962e8fdd26e6034a495e2367ecfdb55d0580f72a041411c93
SHA512b9dcdf4719fac38e0a99ce4f9855e1bb5a61d47709c4c96b2c358b73f1741a29ece1e2bffa46fa84bb18302aa20ad6b6c351485599be3a801657b6a0f5e0c58c
-
C:\Users\Admin\Desktop\LimitUnprotect.wma.736-6D8-540MD5
11bedb2f4886c1511d592d5755031f0e
SHA149ed225735e93cfa64c40f4655f88298ac5c5021
SHA256dde69c6aafd3b0006680868312c73d02d5e9ff65360c96109a4391636475ed04
SHA51288ae056a26958d02d7228ba3daca666eab773be31d92f6613a8129fc6d65d5988b7f7a0465d61760e16348c2a87349d9a7b8d9c2b534dcd14d2d7cc66ab34dcc
-
C:\Users\Admin\Desktop\MergeLimit.vbs.736-6D8-540MD5
2b02049b7514549a0f1efc29e3f7fd41
SHA1d194a3cbca428cd8d56436e6455f49e031021290
SHA25666e41b929ab01b49f114dc710ef1bab3f8bdcfb22df2a5426846c9788dca5d96
SHA512865e58c58f57e2acc40b11c9f7a106a143c72b880225341b4321e18f97ce45a38c0f90d6460cf39a21463dd58c392e9115c99a2c3d479705eb2070bbe5c62384
-
C:\Users\Admin\Desktop\NewConnect.aif.736-6D8-540MD5
a1aa4984cc97de81571a333e32608ee6
SHA1a885b9a7b075666c03350c98a725ca2de40a1497
SHA256615b400b1f54c2c4ad03a47c9777909404089e1b9acc0e5cf0b85fbaa2569783
SHA5120e26ce910be98eeabd51ab787b318844c3bee0a21c575a2604a57c49aed4d7e01f6aa13ba3108139ebdc1e70c3908761a586a7bc47d5ad3639672402c099a63f
-
C:\Users\Admin\Desktop\NewRemove.potx.736-6D8-540MD5
8e3aa1f6468ed9111542a7b9a7c15f44
SHA1e483326954f13a0d1882cd6881c3daea759887da
SHA2565b58049d9b645de1ce3b22be243195cbe401fca55659f76bad9288f79895340d
SHA5129cba3df9afa2be465cdd5d56ae5ec6c347b8c937b231b7682e7305c09a7781c5b894513a5711fb2bcbafe1dc80ac227ff66beb3a333dfab51ae053159ab453c5
-
C:\Users\Admin\Desktop\NewResize.dxf.736-6D8-540MD5
c9fdb7f03156e69cbdf7b8d161592669
SHA1a9366e842f4a4d73fcb034f2654832aff37e4c60
SHA256629300b73e8b6870c68de038cd9b5d75378385ec45ddb06916ffecb13aafc232
SHA51256a625acdbb8aea06bb61665e46345bda825d08381a5ed7c88d1e2741e8d7e71c7efffc915b282eda74b2b6f21261cedf3dae0611df427303cef3a45e0f96f19
-
C:\Users\Admin\Desktop\ReadConvertTo.mp4.736-6D8-540MD5
9e1d96d40ae2119cae20e30686aed8b7
SHA10b5e04556a507bacabe91a90a9ab97bf7f586467
SHA256f70157ee4d4b3e0e69b227c933be4dbd17dc8bf1d8f127a2ddc88b01bcd85691
SHA5122eb929cb73faa4ffaaa1654585223a1199862831de90e5d13704b1d71903806d96a5f97ff8afc93da532d13d86506c6451e442bde0c0af56afc7ee606794b61e
-
C:\Users\Admin\Desktop\RestoreDeny.ini.736-6D8-540MD5
4d71195ab215cd9fe703ddee9329b60f
SHA1ca40208999fe51cd17b029338ad0f978cd7ecf3d
SHA256e3f9c4a96d49369be36beb8b8cc8acb5378b660f112e116e748cbccd86e482e2
SHA5123120d17b7adc0bf80b99e36f4cd8821ab4b0c4d7e2963630d35bca6a176c0ab77a3cc0c2b7907a74aba034b2f83dfe899fd43765fec73b3ab6c5e6611bab5e5a
-
C:\Users\Admin\Desktop\ResumeEdit.wpl.736-6D8-540MD5
998eda0d6ec0ae3a34d0fe95c4498984
SHA1f371247ccc1ec420755c7de42db71819950ef539
SHA25681013c3efe4f4ba92be7e8c0fa838528c1aad9c93a5d4d9b3d1ed718670aa09e
SHA512b8d887174b28554885ba276146ffd0b4369eb75843d41503834822ed77a25ff45bfe8d736cbc9c20ae3cdc978685bf181a0fd6c9cd88365c945e7d995fae9d1e
-
C:\Users\Admin\Desktop\SubmitEnter.emz.736-6D8-540MD5
b52ed137dd43d0980738b38f4165dbbc
SHA122741035c5e02fa50dd657e06448754b6d852817
SHA256705947ed5d53cc628373f0d66ad4a03659775e4924a39c51cfcd991489651983
SHA512cd2837c2f10071d061ce05fefd42daf86d54fd36431bd3caac457ac10d1ad2357f11df6ac2f8fbfaaa93113316ad0fb3a6c3cf292b6abdd3c0383e4c46e90673
-
C:\Users\Admin\Desktop\SuspendConfirm.i64.736-6D8-540MD5
7f702599ea3626591fb3b07e67d2fa79
SHA1ac69e560471e1dc68a1fc2890d9913bcb063d09e
SHA256cd7293e00f4fe18cc14e484b554e7d8312a11c2e3501acaf29df9a56cd88c80d
SHA512fcde50cdc1d8274358b64f99c78caaadeb0dcfce0fa213d5c4b9b31db64fc306bb25d91f4b4989de5c4b363e7e1e6d3ea7a14d37e483857a523a1be35121364e
-
C:\Users\Admin\Desktop\UndoCheckpoint.ico.736-6D8-540MD5
e5dabc98e0c11561282d20f5273d5014
SHA1d554c791cf889ecf54173529e45f91f21d9289b7
SHA25625f5961f1c07370a354503e2409597c2fbf1c09be3629840ac2124e55453cc00
SHA51254e0374f599d243cbbf7496b8130af571d1d9ddc343ef8ccc5d12ca8e3832969f33b3ec12a9ad3b9974f0ad3cef85ddc0e73d58967920d1ee30150e55ea42ea2
-
C:\Users\Admin\Desktop\UnprotectSync.html.736-6D8-540MD5
ef5c9774d21bc8498b23ac9bff1ce85b
SHA119652ab3823772504db4b0db7e0d99a405eeb629
SHA25616bc2b758517ae3a43264b26e8e295bb84fa889e302355049273c56ec316b66e
SHA51227589abd637fd268b66ad056f3c1141c5767f1ef5018b3c0ed8d5b4f510196c15e8793b79eaaba512e79d04567272c78114a5701f4f4e04e7bd17f0529708226
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
memory/304-9-0x0000000000000000-mapping.dmp
-
memory/308-6-0x0000000000000000-mapping.dmp
-
memory/572-8-0x0000000000000000-mapping.dmp
-
memory/676-41-0x0000000000000000-mapping.dmp
-
memory/676-40-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/864-16-0x0000000000000000-mapping.dmp
-
memory/912-18-0x0000000000000000-mapping.dmp
-
memory/1060-7-0x0000000000000000-mapping.dmp
-
memory/1188-19-0x0000000000000000-mapping.dmp
-
memory/1280-2-0x0000000000000000-mapping.dmp
-
memory/1324-5-0x0000000000000000-mapping.dmp
-
memory/1324-4-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1624-11-0x0000000000000000-mapping.dmp
-
memory/1760-13-0x0000000000000000-mapping.dmp
-
memory/1772-17-0x0000000000000000-mapping.dmp
-
memory/1812-10-0x0000000000000000-mapping.dmp