buran | 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

Analysis

max time kernel
93s
max time network
68s
platform
windows10_x64
resource
win10v20201028
submitted
06-11-2020 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Size

212KB
MD5

dea4027a50377c42ea9007e008dd345d
SHA1

bb90e3e7983d27859727418d84a406b0da069560
SHA256

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512

f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: serioussam@firemail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Jabber: serioussam@thesecure.biz Write to email: serioussam@firemail.cc Your personal ID: EDD-183-890 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

serioussam@firemail.cc

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

3428 services.exe
4044 services.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3684 notepad.exe

pid	process
3428	services.exe
4044	services.exe

pid	process
3684	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\W:	services.exe

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3490_20x20x32.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6100_32x32x32.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White@3x.png.EDD-183-890	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-200.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\Ungroup.scale-180.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.EDD-183-890	services.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome.png.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxBlockMap.xml	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-200.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-200.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js.EDD-183-890	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif.EDD-183-890	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js.EDD-183-890	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.EDD-183-890	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\SelectAll.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\logo.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg.EDD-183-890	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.EDD-183-890	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\zw_60x42.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe.EDD-183-890	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.EDD-183-890	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4508 vssadmin.exe
1288 vssadmin.exe

pid	process
4508	vssadmin.exe
1288	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Token: SeDebugPrivilege	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Token: SeIncreaseQuotaPrivilege	4532	WMIC.exe
Token: SeSecurityPrivilege	4532	WMIC.exe
Token: SeTakeOwnershipPrivilege	4532	WMIC.exe
Token: SeLoadDriverPrivilege	4532	WMIC.exe
Token: SeSystemProfilePrivilege	4532	WMIC.exe
Token: SeSystemtimePrivilege	4532	WMIC.exe
Token: SeProfSingleProcessPrivilege	4532	WMIC.exe
Token: SeIncBasePriorityPrivilege	4532	WMIC.exe
Token: SeCreatePagefilePrivilege	4532	WMIC.exe
Token: SeBackupPrivilege	4532	WMIC.exe
Token: SeRestorePrivilege	4532	WMIC.exe
Token: SeShutdownPrivilege	4532	WMIC.exe
Token: SeDebugPrivilege	4532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4532	WMIC.exe
Token: SeRemoteShutdownPrivilege	4532	WMIC.exe
Token: SeUndockPrivilege	4532	WMIC.exe
Token: SeManageVolumePrivilege	4532	WMIC.exe
Token: 33	4532	WMIC.exe
Token: 34	4532	WMIC.exe
Token: 35	4532	WMIC.exe
Token: 36	4532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: 36	556	WMIC.exe
Token: SeBackupPrivilege	3132	vssvc.exe
Token: SeRestorePrivilege	3132	vssvc.exe
Token: SeAuditPrivilege	3132	vssvc.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeservices.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4720 wrote to memory of 3428	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 4720 wrote to memory of 3428	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 4720 wrote to memory of 3428	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	services.exe
PID 4720 wrote to memory of 3684	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 4720 wrote to memory of 3684	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 4720 wrote to memory of 3684	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 4720 wrote to memory of 3684	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 4720 wrote to memory of 3684	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 4720 wrote to memory of 3684	4720	93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe	notepad.exe
PID 3428 wrote to memory of 3460	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 3460	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 3460	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 3456	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 3456	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 3456	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 2144	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 2144	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 2144	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4300	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4300	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4300	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4084	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4084	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4084	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4372	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4372	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4372	3428	services.exe	cmd.exe
PID 3428 wrote to memory of 4044	3428	services.exe	services.exe
PID 3428 wrote to memory of 4044	3428	services.exe	services.exe
PID 3428 wrote to memory of 4044	3428	services.exe	services.exe
PID 4084 wrote to memory of 4508	4084	cmd.exe	vssadmin.exe
PID 4084 wrote to memory of 4508	4084	cmd.exe	vssadmin.exe
PID 4084 wrote to memory of 4508	4084	cmd.exe	vssadmin.exe
PID 3460 wrote to memory of 4532	3460	cmd.exe	WMIC.exe
PID 3460 wrote to memory of 4532	3460	cmd.exe	WMIC.exe
PID 3460 wrote to memory of 4532	3460	cmd.exe	WMIC.exe
PID 4372 wrote to memory of 556	4372	cmd.exe	WMIC.exe
PID 4372 wrote to memory of 556	4372	cmd.exe	WMIC.exe
PID 4372 wrote to memory of 556	4372	cmd.exe	WMIC.exe
PID 4372 wrote to memory of 1288	4372	cmd.exe	vssadmin.exe
PID 4372 wrote to memory of 1288	4372	cmd.exe	vssadmin.exe
PID 4372 wrote to memory of 1288	4372	cmd.exe	vssadmin.exe
PID 3428 wrote to memory of 2908	3428	services.exe	notepad.exe
PID 3428 wrote to memory of 2908	3428	services.exe	notepad.exe
PID 3428 wrote to memory of 2908	3428	services.exe	notepad.exe
PID 3428 wrote to memory of 2908	3428	services.exe	notepad.exe
PID 3428 wrote to memory of 2908	3428	services.exe	notepad.exe
PID 3428 wrote to memory of 2908	3428	services.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
"C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1288

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4044

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:2908

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:3684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
dea4027a50377c42ea9007e008dd345d

SHA1
bb90e3e7983d27859727418d84a406b0da069560

SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb

SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607

Download Submit
C:\Users\Admin\Desktop\CompareDebug.asx.EDD-183-890
MD5
fec5c20e546fc3b3714106b65f6ce18d

SHA1
f634d72479155b555a7d20ef5190c15734a35e80

SHA256
7bb6a8e153feb6181812f2a5cb1a7affbacdd2b889409d7bdd582230b5b77bdc

SHA512
02d0bedc4010ca7193af3fe37e963ab146d7f566fc8e9854c312974f64de654ae775875cb6a53bd1e466714a0fc171dd44a99967445eae23ed1370ccdff5f33e

Download Submit
C:\Users\Admin\Desktop\ConnectCompare.docm.EDD-183-890
MD5
bf7b3f7367f9d40b21a8744ec8387683

SHA1
26853af11525525525e5798d7d17bc032d808ab4

SHA256
b25c464787a03b70b28cdda5c5e2c0db8e222dcd8ec2ed20d9a43ee4a3ef72d3

SHA512
23c2f974fd7d6b1bf5c17a772caf1983c45f676edda7671bdb9b8f5ea9cf61045b787309a3731410b3eece62b09f464b5c822b97cf7f1234ed73767f315b2e6b

Download Submit
C:\Users\Admin\Desktop\ConvertShow.vstx.EDD-183-890
MD5
387a88b197d5b85f9b5bc3a88f19e17b

SHA1
f69501bba8157b8b3b77ffd0156f227ac8d7630f

SHA256
8efef1b2c8e231b192ce22bf1e0b708e21b00de155a4acc33a1b4a2a59d6e19a

SHA512
7b9cc2362be081e9c764de452a1ec7a91912a5e4e361ab1160a335997f04fcbeda51a553d9536e2637d6548a1b5179d51c2bc816ca14f45a136d707c9d489aa3

Download Submit
C:\Users\Admin\Desktop\CopyHide.html.EDD-183-890
MD5
31f2786c93f4f17e1bd0ab684285aab1

SHA1
8d60cb93b1eec37e8fc91fbd648d3e4b0eb0b5eb

SHA256
5dd3030120df576d7c1c9b7575ea1c22beca82ba54d52f2a8768ed1f9d309051

SHA512
3bbcf62438e82a79fb807c60ae49670cf87629c424c59886910a3e2fdbf9cc104434636113ba0f2a677428ebe0f59c27be23cbb6843ae862ac7943c27b28243c

Download Submit
C:\Users\Admin\Desktop\EnableWatch.nfo.EDD-183-890
MD5
22206c185c0567e5bf0418ac379b66de

SHA1
87b531ee1abb5cc731d141b99107b07b895af316

SHA256
c070864fac4b70f48aadbc04bc2e11f3741f500772ec49c1996bd56852f94be8

SHA512
feabe927080496830455e30a3b5130f3ef938d6fb8a549a9afee088e4d683b3ee6b0102c3699543ba12d35eff197792a4cf900654275ad8489b8ae7605ab6348

Download Submit
C:\Users\Admin\Desktop\FindRead.xps.EDD-183-890
MD5
1adca49f0128450744f089ab6a65c040

SHA1
fcc8717539ce1a1d3e13264580a539a5f957ce27

SHA256
130076af9174930387eef1dab1c40fcfe78851d134ef4cf35e6626ed43ce8d05

SHA512
ceb940e05ccfa72f5f09226f0babc6ee6e1972db0151c5d2f31f978af73b476fe7b1ccffa9f02c8a94173ef9b8c4442fb22f9c1700c0e08342ffdd8af727e5ab

Download Submit
C:\Users\Admin\Desktop\GroupStart.pps.EDD-183-890
MD5
b431e130ca3e1e1572fffa02accbf6e3

SHA1
664959152fd34a025d1ac600e51bf7b49c47db72

SHA256
769c539e2fdfd01b92c1ebd28c1df40e8b495f3497ae55286773e0766f11e2b1

SHA512
2cc5d38ac241554bd8bf9a97249d496f9358c550bdc2026b0bda5f378f75a5ee1ebc815091b8d72c93d603ee3317d4c869f40b6937e00ba224e1fa1272020992

Download Submit
C:\Users\Admin\Desktop\ImportAdd.vdx.EDD-183-890
MD5
ecba5c98bf8bc468f629dffe25d5418b

SHA1
c725727c1c2d8df16944ff40bf64dd89336fd7c8

SHA256
4ea680e3e7d78b55c5354b53b037b263b49951f95c44e211d0738949dabfa50e

SHA512
7c6cd6f6831faaf7df625cc881d2ede9b7bdd8816f88c3096e34047778676985da831df35e5bac101de53a47a2e49ddba5bf56ddaad5e1f0caf291422b776cb6

Download Submit
C:\Users\Admin\Desktop\LockBackup.jpg.EDD-183-890
MD5
797638d2cf26c43654e81aeea566a31f

SHA1
eccee475e81eef78b88ab85c7babaf336a90c91c

SHA256
54ec899574bbf484eab7cc2e1f609f3b008771285be0cfac7672ce52d14dc86b

SHA512
4db5a08f80103a06a155c708142f55986e33e5d454938fceb08173d70919e8d0f42c29aee0376e74e4d1cc9d36c34246f69ceed60b6c96c3eb98f8e6fee1e644

Download Submit
C:\Users\Admin\Desktop\OpenMeasure.js.EDD-183-890
MD5
173f8b064c74a74607819fc1365195ed

SHA1
e0582630c0ed1a65af9b6072f3394c6068ff42cc

SHA256
03ad6d0a3302d83cfb7917815ada8d96732820803cf7ff981e6a8a62fe625992

SHA512
1d8d0ee29f59e8e07ee6536a3e6c2b896088ea5d5612a09cc605f825b701d14104a38de65279fe2438de600335791810218e0815362375144cd6c687b1e3db6f

Download Submit
C:\Users\Admin\Desktop\OptimizeInvoke.odt.EDD-183-890
MD5
9dce423d04c985c5c7fb24044c95e14a

SHA1
962be6d4bd1b11e1905435219715d53ee9b2d264

SHA256
36134d20e6945607ac4ce7948484dcca1cb978b930ad1aae52edf42731cc4b1f

SHA512
5fc2f0ce2d85b049bbd0a17936db8371a30b595740a944366f6b5b91d3733baae837d4b8ba95e18f50b3eec862c7c7720b8dbc1b68b1f10ac32d2284a606c52c

Download Submit
C:\Users\Admin\Desktop\ReceiveInvoke.crw.EDD-183-890
MD5
79f645bb34282096528369e97e1e3653

SHA1
86b4ff6b91846d57bfcd19e58a78ead23671fad6

SHA256
bb4795ad8c4a20edf3900e11b9f804569f2b2f774d24221a297c1d6c0bf2a15f

SHA512
797cd44e0f492da8100b7b39abc430beee047c13303198a8af8fc6c473cbc32b57decf9e5454133455434e556ddc5c0980d0d6db03c30f8b8de218913bf5d9e6

Download Submit
C:\Users\Admin\Desktop\RegisterRestart.css.EDD-183-890
MD5
2af1228ea9bf576138b6bf4d01ced314

SHA1
f8b33d00175bd9e122de9e1960845bde957018d1

SHA256
bb9d783cc1163695a3e760ff5bf81d76f8bff5fcb650c43550bc8c3fabc385a7

SHA512
b1715766e9e3d422b9bca39cec58b6cbdf65e040539632ade8a72f462237099679fd64110f449e7f60984bd1c9a1fe3b115abc7543040300089cdd461fe3f42c

Download Submit
C:\Users\Admin\Desktop\RenameSet.rtf.EDD-183-890
MD5
b59503ef2809e10cf5cc6228a4b45c71

SHA1
967921a4ed6bc5326281a2edd5314028734258d9

SHA256
109462f29807f5ece9b571a3a14f327c1b6ee4c7e0113da6031894ae0eece827

SHA512
65a7dc73c76f16ce0efb5050f4e71ff7673452b779c07eec58ebd8244d9fe5a7c84d89104cba764a6e471d7a37e157cc770fa4d64ee378c3bec1d4a8f17262e9

Download Submit
C:\Users\Admin\Desktop\ResetRepair.TS.EDD-183-890
MD5
d97d815049820767da3ef90bef380fb0

SHA1
8b542c69b5c1d8cff461b6e4a9d8d9c06c643aa6

SHA256
48c353dc0fe6f85be4fa3d428d39bf9ef26df24b78f34b7919f9693bbfb9631b

SHA512
01d0c0de090d7f6b2b438b8856d3ce75a85da40abf8f09e8edefcedf8d357ba90bd6f27a9d1ab96abb6f3d9f6466d1a93b930f151fa38fc56c956b106ae5f193

Download Submit
C:\Users\Admin\Desktop\ResetSend.css.EDD-183-890
MD5
c6112ee83e9a0c93ddf0f2496e1e9914

SHA1
74664a2388f4753438a9272575fc27e6160cb378

SHA256
186e35419150fce71a3f5b0f5d0881e56b21d15a1f84f5706ead49924a8f0a46

SHA512
7d7c37913cd16a009739edac8bd267754a4c647f7f67ca69186df48e8ffb4b39534bab6582f236ebad1d5aec77d4cbf020a951eca27315ecd97f006271e20829

Download Submit
C:\Users\Admin\Desktop\ResolveUnpublish.png.EDD-183-890
MD5
b59e7def1c41c14b398519f066353fb5

SHA1
58b57af16484179e88797a29c6c93da8addf4bf0

SHA256
f54d1922ea5ed271d9335f841e466dfa793bf81fd6c1f5ede39319e520975c27

SHA512
26d22a292b13715ba8eb15dc869be6ed0bcd6dbce6e71cfd2413ea69ac89b1d87651627aee7d6c4d009197d373883567fd1adce48ce08bc24bc59cffb80c22c4

Download Submit
C:\Users\Admin\Desktop\RevokeSkip.xsl.EDD-183-890
MD5
88c76dcf7b89bed13e4eb7c7e038aeb8

SHA1
4d5130b561a571792bcea6f88406ea676afdce1d

SHA256
cec4b5cb9ad89fd00353198f11b3f21e3e763a74abd0a635918bc1c788589800

SHA512
bd28ce0bd622a9f53a5749cfe81d4dd95b549433e2b05d677de44fe5161da120f16b63e91ff7bf25ff4f2df0d48453bc90971671fc41b6d033ca5fa94aeb98d9

Download Submit
C:\Users\Admin\Desktop\StepEdit.001.EDD-183-890
MD5
fea4c61a1d92e290f8c88ad940cbbf36

SHA1
94884aed0fd2a142f16ad17229c78720721b8a97

SHA256
8b1fc38a5c91809868907e12f7095c60cb9725d8e377443e2c9b50f2297b418f

SHA512
d2311080639d2c878fee21010abe5db1a31e07ab9ca92de41a56e094838ef95a3beb310694354a121bf377444bb6b843b2b79d900b1215b6d0ce00735753c58f

Download Submit
C:\Users\Admin\Desktop\StopDisconnect.avi.EDD-183-890
MD5
3bb674f32e73bcfcd91975a0e393f4ad

SHA1
c30843feb18da14d9adc909c9189726a64723f25

SHA256
869ae6b20551dddee0dcabc9b68591f92a2b484af64334d7f79df1d0fb25c81c

SHA512
a29e8d6d782e728fbcadbf638ffcf49a0f72b9481f9edbc0b4aa3aae5fbbada2dbad3de0eab60516e9618d14b55ccd911921b635e953357a56062cdebb9db11e

Download Submit
C:\Users\Admin\Desktop\UnblockUnpublish.zip.EDD-183-890
MD5
bb59f88933d8558a2ab513c27013e774

SHA1
6d590cb4d0a2ed02cfd71c9a14799b89f7098363

SHA256
bf15aa6f87d77054ca76d5b2eadd600d0b795f2ba321ad19069d2c7c4229aafa

SHA512
6e55cb32d46b01d8bdd36ed64e5a81ce15839325959cc490278ec4d4a6681e74001d6b2f44a1964ec86918f4300f737856a7cf17ea20d1fa4cd87c7ed5c7943c

Download Submit
C:\Users\Admin\Desktop\UninstallResume.ppsm.EDD-183-890
MD5
0a33235b1e6f06c368995916f091ffb7

SHA1
dafa27f8e7561cd8dc590b2942a174c485a39e26

SHA256
8c528dee250128aa8ccfe878927d4ae26db6065ea00a8a1003ed9ccb2618ef61

SHA512
09d61654b2d8b783fd484faa89614b4b045b08516c0ba244bf307ac9e81ebc5a81f74e849a7e471ee405b3a429510e3225fa874a607c9696638052dbf2a94958

Download Submit
C:\Users\Admin\Desktop\UnlockConvertFrom.crw.EDD-183-890
MD5
8a06f3c5872deac422e7a7ec4cd2341a

SHA1
8dbe710763530abcb19ac8330c769c6281f0d513

SHA256
adcb18c0b161967ad03577dd71363965c3fdbe0e77dd55e5225b3ccb956fe442

SHA512
a1e49e7897f0e17b5733985d0012019af28c8cf515eec885fe6a6bf6afd756a9b0d718012cbe84d6fad306a7564438ad004f89d4a58309f50f5feeee2131eba5

Download Submit
memory/556-16-0x0000000000000000-mapping.dmp

Download
memory/1288-17-0x0000000000000000-mapping.dmp

Download
memory/2144-7-0x0000000000000000-mapping.dmp

Download
memory/2908-42-0x0000000000000000-mapping.dmp

Download
memory/2908-41-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3428-0-0x0000000000000000-mapping.dmp

Download
memory/3456-6-0x0000000000000000-mapping.dmp

Download
memory/3460-5-0x0000000000000000-mapping.dmp

Download
memory/3684-3-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/3684-4-0x0000000000000000-mapping.dmp

Download
memory/4044-11-0x0000000000000000-mapping.dmp

Download
memory/4084-9-0x0000000000000000-mapping.dmp

Download
memory/4300-8-0x0000000000000000-mapping.dmp

Download
memory/4372-10-0x0000000000000000-mapping.dmp

Download
memory/4508-13-0x0000000000000000-mapping.dmp

Download
memory/4532-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads