buran | 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

Analysis

max time kernel
96s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Size

212KB
MD5

dea4027a50377c42ea9007e008dd345d
SHA1

bb90e3e7983d27859727418d84a406b0da069560
SHA256

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512

f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: serioussam@firemail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Jabber: serioussam@thesecure.biz Write to email: serioussam@firemail.cc Your personal ID: 736-6D8-540 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

serioussam@firemail.cc

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

1280 services.exe
1760 services.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1324 notepad.exe

pid	process
1280	services.exe
1760	services.exe

pid	process
1324	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe

pid	process
1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\T:	services.exe

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298897.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip	services.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF	services.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF.736-6D8-540	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03470_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01563_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.736-6D8-540	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN097.XML	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID	services.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF.736-6D8-540	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18229_.WMF	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

864 vssadmin.exe
1188 vssadmin.exe

pid	process
864	vssadmin.exe
1188	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Token: SeDebugPrivilege	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Token: SeIncreaseQuotaPrivilege	912	WMIC.exe
Token: SeSecurityPrivilege	912	WMIC.exe
Token: SeTakeOwnershipPrivilege	912	WMIC.exe
Token: SeLoadDriverPrivilege	912	WMIC.exe
Token: SeSystemProfilePrivilege	912	WMIC.exe
Token: SeSystemtimePrivilege	912	WMIC.exe
Token: SeProfSingleProcessPrivilege	912	WMIC.exe
Token: SeIncBasePriorityPrivilege	912	WMIC.exe
Token: SeCreatePagefilePrivilege	912	WMIC.exe
Token: SeBackupPrivilege	912	WMIC.exe
Token: SeRestorePrivilege	912	WMIC.exe
Token: SeShutdownPrivilege	912	WMIC.exe
Token: SeDebugPrivilege	912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	912	WMIC.exe
Token: SeRemoteShutdownPrivilege	912	WMIC.exe
Token: SeUndockPrivilege	912	WMIC.exe
Token: SeManageVolumePrivilege	912	WMIC.exe
Token: 33	912	WMIC.exe
Token: 34	912	WMIC.exe
Token: 35	912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeBackupPrivilege	1272	vssvc.exe
Token: SeRestorePrivilege	1272	vssvc.exe
Token: SeAuditPrivilege	1272	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeservices.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 1280	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 1584 wrote to memory of 1280	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 1584 wrote to memory of 1280	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 1584 wrote to memory of 1280	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1584 wrote to memory of 1324	1584	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 1280 wrote to memory of 308	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 308	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 308	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 308	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1060	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1060	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1060	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1060	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 572	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 572	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 572	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 572	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 304	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 304	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 304	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 304	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1812	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1812	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1812	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1812	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1624	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1624	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1624	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1624	1280	services.exe	cmd.exe
PID 1280 wrote to memory of 1760	1280	services.exe	services.exe
PID 1280 wrote to memory of 1760	1280	services.exe	services.exe
PID 1280 wrote to memory of 1760	1280	services.exe	services.exe
PID 1280 wrote to memory of 1760	1280	services.exe	services.exe
PID 1812 wrote to memory of 864	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 864	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 864	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 864	1812	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1772	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1772	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1772	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1772	1624	cmd.exe	WMIC.exe
PID 308 wrote to memory of 912	308	cmd.exe	WMIC.exe
PID 308 wrote to memory of 912	308	cmd.exe	WMIC.exe
PID 308 wrote to memory of 912	308	cmd.exe	WMIC.exe
PID 308 wrote to memory of 912	308	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1188	1624	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1188	1624	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1188	1624	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1188	1624	cmd.exe	vssadmin.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe
PID 1280 wrote to memory of 676	1280	services.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
"C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1188

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1760

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:676

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
C:\Users\Admin\Desktop\AssertShow.mpeg3.736-6D8-540
MD5
ac1c9da0fa4bfb80e6b145480286a51f

SHA1
71335cf22e5519cc3f4e194009b1e119094f2764

SHA256
d0306c0ee73a865d899f42a6763b4b25de8aa1e87da333440a0d4243a662276c

SHA512
edf50c152074a51aca55f30f90327d6f02ced8deb3fe1a94746434abbc8c8e9383988bbf0abc3154610df261593e7aca3d52c9df6a426c53a0e23fd8bb836d15

Download Submit
C:\Users\Admin\Desktop\ConnectDisconnect.jpeg.736-6D8-540
MD5
eb547f41d1998976606713776853421c

SHA1
c828d3c5026a22c1dfb07fafd131369afb517efe

SHA256
34f291bccc1b314e3e5514d792c73da5d8dca9aa22e29d21f4c075afe5acd814

SHA512
92501218f7b85ea886a36c80bd44eb7fc3e8427566bb3e815ab8a7c13f681272bcac5df3ee93669ba68a6f32fbc10512765b2afc88f110a23837dad7294cc882

Download Submit
C:\Users\Admin\Desktop\ConnectTest.mht.736-6D8-540
MD5
1db9932afa3d6dc69bac7ff99bc0e4e1

SHA1
0a2bf9e1e400f60d15c491c94a20e12c02330b31

SHA256
7f914dc94a63428b9db5f7bb6317d299b889c7a0fccfeb9d26c0f2de2b0c0d3f

SHA512
1d4cece5d8abe2de76295bd758165b6052258ea34b3f22aa7441b026ca46aa5a42795578b13d8bf017583765303accb481c8fd9a9837518c492c64fc35771f03

Download Submit
C:\Users\Admin\Desktop\ConvertToPush.rm.736-6D8-540
MD5
a5806f4de8ff875114ca47740901dd67

SHA1
ad71d0252f736e483f2195c37ce80b76bdf0977a

SHA256
fe94b2c88341c173ec17d6970a8a2d8e7a711cc8b002ad865e4b6bdde597cf32

SHA512
604e12346ee53624721e7f3c9aa5a25b0fc5cff8ad2849155288ffefadbb9d3a09aa864768babefab6b1f9aeae8fe2e93e7a81950ac86c8322c78fe9fa8ab3a0

Download Submit
C:\Users\Admin\Desktop\DisableRestart.jtx.736-6D8-540
MD5
1cff23843e16a02490fd7cee48abfe0c

SHA1
81be84e61eebff7deb20d87a601d896e31b72bc4

SHA256
3be5288b3289958186d600f130fa5acefa1faccc74645705389dae7b423950a5

SHA512
a2015d7e8bce27db57de665cb58401da4f76f2516acf736bce25a96b992e234102e2a1badff98d42c040156ff6ee844a22931c792eeffba6ff8b540c718755bd

Download Submit
C:\Users\Admin\Desktop\ExpandSuspend.xps.736-6D8-540
MD5
8228393bf55b2a0375f8620607d47f00

SHA1
627cc241c916361944d390284640356b9e09044f

SHA256
c9bbc115e3b332e177e2b02cd8ba4e40889bfd88895475b25a0af66d576bf36a

SHA512
fb2f6331fcafa2b3dc2e5a5e557b7e41b08e74ab5ce7db9d4d7a58231cac082d853f74744b80e715d359db87b99489cafdff8c8f16922ebdb4b16aae6c0e52de

Download Submit
C:\Users\Admin\Desktop\InitializeCheckpoint.au3.736-6D8-540
MD5
48e4c73fcbe91efb260ed59247ee8913

SHA1
0a175eb9be3779a020101885820d1f4d1ae2200c

SHA256
7938b99caf1b3747af7ff8716f206d3a85b765e122fafb1cb7083a97830219c0

SHA512
2271571016651d4b3869ae174c2eb5e0fdf5e727d9afdbaa70d770c23a51b599ca3a63dfaf49396901ec02ec08257d8fd28568139a8281b4e31dcf585e7312a9

Download Submit
C:\Users\Admin\Desktop\JoinMerge.M2T.736-6D8-540
MD5
01a7a61d008ec124791eaff446f7d628

SHA1
7170a01b103f983e771079cb2b3cd40bf1b8b3e0

SHA256
11c01923177fcf2962e8fdd26e6034a495e2367ecfdb55d0580f72a041411c93

SHA512
b9dcdf4719fac38e0a99ce4f9855e1bb5a61d47709c4c96b2c358b73f1741a29ece1e2bffa46fa84bb18302aa20ad6b6c351485599be3a801657b6a0f5e0c58c

Download Submit
C:\Users\Admin\Desktop\LimitUnprotect.wma.736-6D8-540
MD5
11bedb2f4886c1511d592d5755031f0e

SHA1
49ed225735e93cfa64c40f4655f88298ac5c5021

SHA256
dde69c6aafd3b0006680868312c73d02d5e9ff65360c96109a4391636475ed04

SHA512
88ae056a26958d02d7228ba3daca666eab773be31d92f6613a8129fc6d65d5988b7f7a0465d61760e16348c2a87349d9a7b8d9c2b534dcd14d2d7cc66ab34dcc

Download Submit
C:\Users\Admin\Desktop\MergeLimit.vbs.736-6D8-540
MD5
2b02049b7514549a0f1efc29e3f7fd41

SHA1
d194a3cbca428cd8d56436e6455f49e031021290

SHA256
66e41b929ab01b49f114dc710ef1bab3f8bdcfb22df2a5426846c9788dca5d96

SHA512
865e58c58f57e2acc40b11c9f7a106a143c72b880225341b4321e18f97ce45a38c0f90d6460cf39a21463dd58c392e9115c99a2c3d479705eb2070bbe5c62384

Download Submit
C:\Users\Admin\Desktop\NewConnect.aif.736-6D8-540
MD5
a1aa4984cc97de81571a333e32608ee6

SHA1
a885b9a7b075666c03350c98a725ca2de40a1497

SHA256
615b400b1f54c2c4ad03a47c9777909404089e1b9acc0e5cf0b85fbaa2569783

SHA512
0e26ce910be98eeabd51ab787b318844c3bee0a21c575a2604a57c49aed4d7e01f6aa13ba3108139ebdc1e70c3908761a586a7bc47d5ad3639672402c099a63f

Download Submit
C:\Users\Admin\Desktop\NewRemove.potx.736-6D8-540
MD5
8e3aa1f6468ed9111542a7b9a7c15f44

SHA1
e483326954f13a0d1882cd6881c3daea759887da

SHA256
5b58049d9b645de1ce3b22be243195cbe401fca55659f76bad9288f79895340d

SHA512
9cba3df9afa2be465cdd5d56ae5ec6c347b8c937b231b7682e7305c09a7781c5b894513a5711fb2bcbafe1dc80ac227ff66beb3a333dfab51ae053159ab453c5

Download Submit
C:\Users\Admin\Desktop\NewResize.dxf.736-6D8-540
MD5
c9fdb7f03156e69cbdf7b8d161592669

SHA1
a9366e842f4a4d73fcb034f2654832aff37e4c60

SHA256
629300b73e8b6870c68de038cd9b5d75378385ec45ddb06916ffecb13aafc232

SHA512
56a625acdbb8aea06bb61665e46345bda825d08381a5ed7c88d1e2741e8d7e71c7efffc915b282eda74b2b6f21261cedf3dae0611df427303cef3a45e0f96f19

Download Submit
C:\Users\Admin\Desktop\ReadConvertTo.mp4.736-6D8-540
MD5
9e1d96d40ae2119cae20e30686aed8b7

SHA1
0b5e04556a507bacabe91a90a9ab97bf7f586467

SHA256
f70157ee4d4b3e0e69b227c933be4dbd17dc8bf1d8f127a2ddc88b01bcd85691

SHA512
2eb929cb73faa4ffaaa1654585223a1199862831de90e5d13704b1d71903806d96a5f97ff8afc93da532d13d86506c6451e442bde0c0af56afc7ee606794b61e

Download Submit
C:\Users\Admin\Desktop\RestoreDeny.ini.736-6D8-540
MD5
4d71195ab215cd9fe703ddee9329b60f

SHA1
ca40208999fe51cd17b029338ad0f978cd7ecf3d

SHA256
e3f9c4a96d49369be36beb8b8cc8acb5378b660f112e116e748cbccd86e482e2

SHA512
3120d17b7adc0bf80b99e36f4cd8821ab4b0c4d7e2963630d35bca6a176c0ab77a3cc0c2b7907a74aba034b2f83dfe899fd43765fec73b3ab6c5e6611bab5e5a

Download Submit
C:\Users\Admin\Desktop\ResumeEdit.wpl.736-6D8-540
MD5
998eda0d6ec0ae3a34d0fe95c4498984

SHA1
f371247ccc1ec420755c7de42db71819950ef539

SHA256
81013c3efe4f4ba92be7e8c0fa838528c1aad9c93a5d4d9b3d1ed718670aa09e

SHA512
b8d887174b28554885ba276146ffd0b4369eb75843d41503834822ed77a25ff45bfe8d736cbc9c20ae3cdc978685bf181a0fd6c9cd88365c945e7d995fae9d1e

Download Submit
C:\Users\Admin\Desktop\SubmitEnter.emz.736-6D8-540
MD5
b52ed137dd43d0980738b38f4165dbbc

SHA1
22741035c5e02fa50dd657e06448754b6d852817

SHA256
705947ed5d53cc628373f0d66ad4a03659775e4924a39c51cfcd991489651983

SHA512
cd2837c2f10071d061ce05fefd42daf86d54fd36431bd3caac457ac10d1ad2357f11df6ac2f8fbfaaa93113316ad0fb3a6c3cf292b6abdd3c0383e4c46e90673

Download Submit
C:\Users\Admin\Desktop\SuspendConfirm.i64.736-6D8-540
MD5
7f702599ea3626591fb3b07e67d2fa79

SHA1
ac69e560471e1dc68a1fc2890d9913bcb063d09e

SHA256
cd7293e00f4fe18cc14e484b554e7d8312a11c2e3501acaf29df9a56cd88c80d

SHA512
fcde50cdc1d8274358b64f99c78caaadeb0dcfce0fa213d5c4b9b31db64fc306bb25d91f4b4989de5c4b363e7e1e6d3ea7a14d37e483857a523a1be35121364e

Download Submit
C:\Users\Admin\Desktop\UndoCheckpoint.ico.736-6D8-540
MD5
e5dabc98e0c11561282d20f5273d5014

SHA1
d554c791cf889ecf54173529e45f91f21d9289b7

SHA256
25f5961f1c07370a354503e2409597c2fbf1c09be3629840ac2124e55453cc00

SHA512
54e0374f599d243cbbf7496b8130af571d1d9ddc343ef8ccc5d12ca8e3832969f33b3ec12a9ad3b9974f0ad3cef85ddc0e73d58967920d1ee30150e55ea42ea2

Download Submit
C:\Users\Admin\Desktop\UnprotectSync.html.736-6D8-540
MD5
ef5c9774d21bc8498b23ac9bff1ce85b

SHA1
19652ab3823772504db4b0db7e0d99a405eeb629

SHA256
16bc2b758517ae3a43264b26e8e295bb84fa889e302355049273c56ec316b66e

SHA512
27589abd637fd268b66ad056f3c1141c5767f1ef5018b3c0ed8d5b4f510196c15e8793b79eaaba512e79d04567272c78114a5701f4f4e04e7bd17f0529708226

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
memory/304-9-0x0000000000000000-mapping.dmp

Download
memory/308-6-0x0000000000000000-mapping.dmp

Download
memory/572-8-0x0000000000000000-mapping.dmp

Download
memory/676-41-0x0000000000000000-mapping.dmp

Download
memory/676-40-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/864-16-0x0000000000000000-mapping.dmp

Download
memory/912-18-0x0000000000000000-mapping.dmp

Download
memory/1060-7-0x0000000000000000-mapping.dmp

Download
memory/1188-19-0x0000000000000000-mapping.dmp

Download
memory/1280-2-0x0000000000000000-mapping.dmp

Download
memory/1324-5-0x0000000000000000-mapping.dmp

Download
memory/1324-4-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1624-11-0x0000000000000000-mapping.dmp

Download
memory/1760-13-0x0000000000000000-mapping.dmp

Download
memory/1772-17-0x0000000000000000-mapping.dmp

Download
memory/1812-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads