Analysis
-
max time kernel
93s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
Resource
win10v20201028
General
-
Target
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe
-
Size
212KB
-
MD5
dea4027a50377c42ea9007e008dd345d
-
SHA1
bb90e3e7983d27859727418d84a406b0da069560
-
SHA256
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
-
SHA512
f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
serioussam@firemail.cc
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 3428 services.exe 4044 services.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3684 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\V: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\W: services.exe -
Drops file in Program Files directory 64 IoCs
Processes:
services.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3490_20x20x32.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6100_32x32x32.png services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.EDD-183-890 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.EDD-183-890 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White@3x.png.EDD-183-890 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-200.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\Ungroup.scale-180.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.EDD-183-890 services.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome.png.EDD-183-890 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.EDD-183-890 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxBlockMap.xml services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-200.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-200.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js.EDD-183-890 services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif.EDD-183-890 services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js.EDD-183-890 services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe.EDD-183-890 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.EDD-183-890 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24.png services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\SelectAll.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\logo.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg.EDD-183-890 services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.EDD-183-890 services.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\zw_60x42.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif.EDD-183-890 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe.EDD-183-890 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.EDD-183-890 services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4508 vssadmin.exe 1288 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe Token: SeDebugPrivilege 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe Token: SeIncreaseQuotaPrivilege 4532 WMIC.exe Token: SeSecurityPrivilege 4532 WMIC.exe Token: SeTakeOwnershipPrivilege 4532 WMIC.exe Token: SeLoadDriverPrivilege 4532 WMIC.exe Token: SeSystemProfilePrivilege 4532 WMIC.exe Token: SeSystemtimePrivilege 4532 WMIC.exe Token: SeProfSingleProcessPrivilege 4532 WMIC.exe Token: SeIncBasePriorityPrivilege 4532 WMIC.exe Token: SeCreatePagefilePrivilege 4532 WMIC.exe Token: SeBackupPrivilege 4532 WMIC.exe Token: SeRestorePrivilege 4532 WMIC.exe Token: SeShutdownPrivilege 4532 WMIC.exe Token: SeDebugPrivilege 4532 WMIC.exe Token: SeSystemEnvironmentPrivilege 4532 WMIC.exe Token: SeRemoteShutdownPrivilege 4532 WMIC.exe Token: SeUndockPrivilege 4532 WMIC.exe Token: SeManageVolumePrivilege 4532 WMIC.exe Token: 33 4532 WMIC.exe Token: 34 4532 WMIC.exe Token: 35 4532 WMIC.exe Token: 36 4532 WMIC.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemProfilePrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeProfSingleProcessPrivilege 556 WMIC.exe Token: SeIncBasePriorityPrivilege 556 WMIC.exe Token: SeCreatePagefilePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeDebugPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeRemoteShutdownPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: 33 556 WMIC.exe Token: 34 556 WMIC.exe Token: 35 556 WMIC.exe Token: 36 556 WMIC.exe Token: SeBackupPrivilege 3132 vssvc.exe Token: SeRestorePrivilege 3132 vssvc.exe Token: SeAuditPrivilege 3132 vssvc.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemProfilePrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeProfSingleProcessPrivilege 556 WMIC.exe Token: SeIncBasePriorityPrivilege 556 WMIC.exe Token: SeCreatePagefilePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeDebugPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeRemoteShutdownPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 4720 wrote to memory of 3428 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 4720 wrote to memory of 3428 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 4720 wrote to memory of 3428 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe services.exe PID 4720 wrote to memory of 3684 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 4720 wrote to memory of 3684 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 4720 wrote to memory of 3684 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 4720 wrote to memory of 3684 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 4720 wrote to memory of 3684 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 4720 wrote to memory of 3684 4720 93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe notepad.exe PID 3428 wrote to memory of 3460 3428 services.exe cmd.exe PID 3428 wrote to memory of 3460 3428 services.exe cmd.exe PID 3428 wrote to memory of 3460 3428 services.exe cmd.exe PID 3428 wrote to memory of 3456 3428 services.exe cmd.exe PID 3428 wrote to memory of 3456 3428 services.exe cmd.exe PID 3428 wrote to memory of 3456 3428 services.exe cmd.exe PID 3428 wrote to memory of 2144 3428 services.exe cmd.exe PID 3428 wrote to memory of 2144 3428 services.exe cmd.exe PID 3428 wrote to memory of 2144 3428 services.exe cmd.exe PID 3428 wrote to memory of 4300 3428 services.exe cmd.exe PID 3428 wrote to memory of 4300 3428 services.exe cmd.exe PID 3428 wrote to memory of 4300 3428 services.exe cmd.exe PID 3428 wrote to memory of 4084 3428 services.exe cmd.exe PID 3428 wrote to memory of 4084 3428 services.exe cmd.exe PID 3428 wrote to memory of 4084 3428 services.exe cmd.exe PID 3428 wrote to memory of 4372 3428 services.exe cmd.exe PID 3428 wrote to memory of 4372 3428 services.exe cmd.exe PID 3428 wrote to memory of 4372 3428 services.exe cmd.exe PID 3428 wrote to memory of 4044 3428 services.exe services.exe PID 3428 wrote to memory of 4044 3428 services.exe services.exe PID 3428 wrote to memory of 4044 3428 services.exe services.exe PID 4084 wrote to memory of 4508 4084 cmd.exe vssadmin.exe PID 4084 wrote to memory of 4508 4084 cmd.exe vssadmin.exe PID 4084 wrote to memory of 4508 4084 cmd.exe vssadmin.exe PID 3460 wrote to memory of 4532 3460 cmd.exe WMIC.exe PID 3460 wrote to memory of 4532 3460 cmd.exe WMIC.exe PID 3460 wrote to memory of 4532 3460 cmd.exe WMIC.exe PID 4372 wrote to memory of 556 4372 cmd.exe WMIC.exe PID 4372 wrote to memory of 556 4372 cmd.exe WMIC.exe PID 4372 wrote to memory of 556 4372 cmd.exe WMIC.exe PID 4372 wrote to memory of 1288 4372 cmd.exe vssadmin.exe PID 4372 wrote to memory of 1288 4372 cmd.exe vssadmin.exe PID 4372 wrote to memory of 1288 4372 cmd.exe vssadmin.exe PID 3428 wrote to memory of 2908 3428 services.exe notepad.exe PID 3428 wrote to memory of 2908 3428 services.exe notepad.exe PID 3428 wrote to memory of 2908 3428 services.exe notepad.exe PID 3428 wrote to memory of 2908 3428 services.exe notepad.exe PID 3428 wrote to memory of 2908 3428 services.exe notepad.exe PID 3428 wrote to memory of 2908 3428 services.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe"C:\Users\Admin\AppData\Local\Temp\93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb.bin.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
dea4027a50377c42ea9007e008dd345d
SHA1bb90e3e7983d27859727418d84a406b0da069560
SHA25693fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
SHA512f440d64d081741e49cfc425115e62d6470317118badcd9116ea1cac2f2d1e730ae485b1f27392125405c91381dfb93188ddd99dbfb2021044ca6f48fa25fa607
-
C:\Users\Admin\Desktop\CompareDebug.asx.EDD-183-890MD5
fec5c20e546fc3b3714106b65f6ce18d
SHA1f634d72479155b555a7d20ef5190c15734a35e80
SHA2567bb6a8e153feb6181812f2a5cb1a7affbacdd2b889409d7bdd582230b5b77bdc
SHA51202d0bedc4010ca7193af3fe37e963ab146d7f566fc8e9854c312974f64de654ae775875cb6a53bd1e466714a0fc171dd44a99967445eae23ed1370ccdff5f33e
-
C:\Users\Admin\Desktop\ConnectCompare.docm.EDD-183-890MD5
bf7b3f7367f9d40b21a8744ec8387683
SHA126853af11525525525e5798d7d17bc032d808ab4
SHA256b25c464787a03b70b28cdda5c5e2c0db8e222dcd8ec2ed20d9a43ee4a3ef72d3
SHA51223c2f974fd7d6b1bf5c17a772caf1983c45f676edda7671bdb9b8f5ea9cf61045b787309a3731410b3eece62b09f464b5c822b97cf7f1234ed73767f315b2e6b
-
C:\Users\Admin\Desktop\ConvertShow.vstx.EDD-183-890MD5
387a88b197d5b85f9b5bc3a88f19e17b
SHA1f69501bba8157b8b3b77ffd0156f227ac8d7630f
SHA2568efef1b2c8e231b192ce22bf1e0b708e21b00de155a4acc33a1b4a2a59d6e19a
SHA5127b9cc2362be081e9c764de452a1ec7a91912a5e4e361ab1160a335997f04fcbeda51a553d9536e2637d6548a1b5179d51c2bc816ca14f45a136d707c9d489aa3
-
C:\Users\Admin\Desktop\CopyHide.html.EDD-183-890MD5
31f2786c93f4f17e1bd0ab684285aab1
SHA18d60cb93b1eec37e8fc91fbd648d3e4b0eb0b5eb
SHA2565dd3030120df576d7c1c9b7575ea1c22beca82ba54d52f2a8768ed1f9d309051
SHA5123bbcf62438e82a79fb807c60ae49670cf87629c424c59886910a3e2fdbf9cc104434636113ba0f2a677428ebe0f59c27be23cbb6843ae862ac7943c27b28243c
-
C:\Users\Admin\Desktop\EnableWatch.nfo.EDD-183-890MD5
22206c185c0567e5bf0418ac379b66de
SHA187b531ee1abb5cc731d141b99107b07b895af316
SHA256c070864fac4b70f48aadbc04bc2e11f3741f500772ec49c1996bd56852f94be8
SHA512feabe927080496830455e30a3b5130f3ef938d6fb8a549a9afee088e4d683b3ee6b0102c3699543ba12d35eff197792a4cf900654275ad8489b8ae7605ab6348
-
C:\Users\Admin\Desktop\FindRead.xps.EDD-183-890MD5
1adca49f0128450744f089ab6a65c040
SHA1fcc8717539ce1a1d3e13264580a539a5f957ce27
SHA256130076af9174930387eef1dab1c40fcfe78851d134ef4cf35e6626ed43ce8d05
SHA512ceb940e05ccfa72f5f09226f0babc6ee6e1972db0151c5d2f31f978af73b476fe7b1ccffa9f02c8a94173ef9b8c4442fb22f9c1700c0e08342ffdd8af727e5ab
-
C:\Users\Admin\Desktop\GroupStart.pps.EDD-183-890MD5
b431e130ca3e1e1572fffa02accbf6e3
SHA1664959152fd34a025d1ac600e51bf7b49c47db72
SHA256769c539e2fdfd01b92c1ebd28c1df40e8b495f3497ae55286773e0766f11e2b1
SHA5122cc5d38ac241554bd8bf9a97249d496f9358c550bdc2026b0bda5f378f75a5ee1ebc815091b8d72c93d603ee3317d4c869f40b6937e00ba224e1fa1272020992
-
C:\Users\Admin\Desktop\ImportAdd.vdx.EDD-183-890MD5
ecba5c98bf8bc468f629dffe25d5418b
SHA1c725727c1c2d8df16944ff40bf64dd89336fd7c8
SHA2564ea680e3e7d78b55c5354b53b037b263b49951f95c44e211d0738949dabfa50e
SHA5127c6cd6f6831faaf7df625cc881d2ede9b7bdd8816f88c3096e34047778676985da831df35e5bac101de53a47a2e49ddba5bf56ddaad5e1f0caf291422b776cb6
-
C:\Users\Admin\Desktop\LockBackup.jpg.EDD-183-890MD5
797638d2cf26c43654e81aeea566a31f
SHA1eccee475e81eef78b88ab85c7babaf336a90c91c
SHA25654ec899574bbf484eab7cc2e1f609f3b008771285be0cfac7672ce52d14dc86b
SHA5124db5a08f80103a06a155c708142f55986e33e5d454938fceb08173d70919e8d0f42c29aee0376e74e4d1cc9d36c34246f69ceed60b6c96c3eb98f8e6fee1e644
-
C:\Users\Admin\Desktop\OpenMeasure.js.EDD-183-890MD5
173f8b064c74a74607819fc1365195ed
SHA1e0582630c0ed1a65af9b6072f3394c6068ff42cc
SHA25603ad6d0a3302d83cfb7917815ada8d96732820803cf7ff981e6a8a62fe625992
SHA5121d8d0ee29f59e8e07ee6536a3e6c2b896088ea5d5612a09cc605f825b701d14104a38de65279fe2438de600335791810218e0815362375144cd6c687b1e3db6f
-
C:\Users\Admin\Desktop\OptimizeInvoke.odt.EDD-183-890MD5
9dce423d04c985c5c7fb24044c95e14a
SHA1962be6d4bd1b11e1905435219715d53ee9b2d264
SHA25636134d20e6945607ac4ce7948484dcca1cb978b930ad1aae52edf42731cc4b1f
SHA5125fc2f0ce2d85b049bbd0a17936db8371a30b595740a944366f6b5b91d3733baae837d4b8ba95e18f50b3eec862c7c7720b8dbc1b68b1f10ac32d2284a606c52c
-
C:\Users\Admin\Desktop\ReceiveInvoke.crw.EDD-183-890MD5
79f645bb34282096528369e97e1e3653
SHA186b4ff6b91846d57bfcd19e58a78ead23671fad6
SHA256bb4795ad8c4a20edf3900e11b9f804569f2b2f774d24221a297c1d6c0bf2a15f
SHA512797cd44e0f492da8100b7b39abc430beee047c13303198a8af8fc6c473cbc32b57decf9e5454133455434e556ddc5c0980d0d6db03c30f8b8de218913bf5d9e6
-
C:\Users\Admin\Desktop\RegisterRestart.css.EDD-183-890MD5
2af1228ea9bf576138b6bf4d01ced314
SHA1f8b33d00175bd9e122de9e1960845bde957018d1
SHA256bb9d783cc1163695a3e760ff5bf81d76f8bff5fcb650c43550bc8c3fabc385a7
SHA512b1715766e9e3d422b9bca39cec58b6cbdf65e040539632ade8a72f462237099679fd64110f449e7f60984bd1c9a1fe3b115abc7543040300089cdd461fe3f42c
-
C:\Users\Admin\Desktop\RenameSet.rtf.EDD-183-890MD5
b59503ef2809e10cf5cc6228a4b45c71
SHA1967921a4ed6bc5326281a2edd5314028734258d9
SHA256109462f29807f5ece9b571a3a14f327c1b6ee4c7e0113da6031894ae0eece827
SHA51265a7dc73c76f16ce0efb5050f4e71ff7673452b779c07eec58ebd8244d9fe5a7c84d89104cba764a6e471d7a37e157cc770fa4d64ee378c3bec1d4a8f17262e9
-
C:\Users\Admin\Desktop\ResetRepair.TS.EDD-183-890MD5
d97d815049820767da3ef90bef380fb0
SHA18b542c69b5c1d8cff461b6e4a9d8d9c06c643aa6
SHA25648c353dc0fe6f85be4fa3d428d39bf9ef26df24b78f34b7919f9693bbfb9631b
SHA51201d0c0de090d7f6b2b438b8856d3ce75a85da40abf8f09e8edefcedf8d357ba90bd6f27a9d1ab96abb6f3d9f6466d1a93b930f151fa38fc56c956b106ae5f193
-
C:\Users\Admin\Desktop\ResetSend.css.EDD-183-890MD5
c6112ee83e9a0c93ddf0f2496e1e9914
SHA174664a2388f4753438a9272575fc27e6160cb378
SHA256186e35419150fce71a3f5b0f5d0881e56b21d15a1f84f5706ead49924a8f0a46
SHA5127d7c37913cd16a009739edac8bd267754a4c647f7f67ca69186df48e8ffb4b39534bab6582f236ebad1d5aec77d4cbf020a951eca27315ecd97f006271e20829
-
C:\Users\Admin\Desktop\ResolveUnpublish.png.EDD-183-890MD5
b59e7def1c41c14b398519f066353fb5
SHA158b57af16484179e88797a29c6c93da8addf4bf0
SHA256f54d1922ea5ed271d9335f841e466dfa793bf81fd6c1f5ede39319e520975c27
SHA51226d22a292b13715ba8eb15dc869be6ed0bcd6dbce6e71cfd2413ea69ac89b1d87651627aee7d6c4d009197d373883567fd1adce48ce08bc24bc59cffb80c22c4
-
C:\Users\Admin\Desktop\RevokeSkip.xsl.EDD-183-890MD5
88c76dcf7b89bed13e4eb7c7e038aeb8
SHA14d5130b561a571792bcea6f88406ea676afdce1d
SHA256cec4b5cb9ad89fd00353198f11b3f21e3e763a74abd0a635918bc1c788589800
SHA512bd28ce0bd622a9f53a5749cfe81d4dd95b549433e2b05d677de44fe5161da120f16b63e91ff7bf25ff4f2df0d48453bc90971671fc41b6d033ca5fa94aeb98d9
-
C:\Users\Admin\Desktop\StepEdit.001.EDD-183-890MD5
fea4c61a1d92e290f8c88ad940cbbf36
SHA194884aed0fd2a142f16ad17229c78720721b8a97
SHA2568b1fc38a5c91809868907e12f7095c60cb9725d8e377443e2c9b50f2297b418f
SHA512d2311080639d2c878fee21010abe5db1a31e07ab9ca92de41a56e094838ef95a3beb310694354a121bf377444bb6b843b2b79d900b1215b6d0ce00735753c58f
-
C:\Users\Admin\Desktop\StopDisconnect.avi.EDD-183-890MD5
3bb674f32e73bcfcd91975a0e393f4ad
SHA1c30843feb18da14d9adc909c9189726a64723f25
SHA256869ae6b20551dddee0dcabc9b68591f92a2b484af64334d7f79df1d0fb25c81c
SHA512a29e8d6d782e728fbcadbf638ffcf49a0f72b9481f9edbc0b4aa3aae5fbbada2dbad3de0eab60516e9618d14b55ccd911921b635e953357a56062cdebb9db11e
-
C:\Users\Admin\Desktop\UnblockUnpublish.zip.EDD-183-890MD5
bb59f88933d8558a2ab513c27013e774
SHA16d590cb4d0a2ed02cfd71c9a14799b89f7098363
SHA256bf15aa6f87d77054ca76d5b2eadd600d0b795f2ba321ad19069d2c7c4229aafa
SHA5126e55cb32d46b01d8bdd36ed64e5a81ce15839325959cc490278ec4d4a6681e74001d6b2f44a1964ec86918f4300f737856a7cf17ea20d1fa4cd87c7ed5c7943c
-
C:\Users\Admin\Desktop\UninstallResume.ppsm.EDD-183-890MD5
0a33235b1e6f06c368995916f091ffb7
SHA1dafa27f8e7561cd8dc590b2942a174c485a39e26
SHA2568c528dee250128aa8ccfe878927d4ae26db6065ea00a8a1003ed9ccb2618ef61
SHA51209d61654b2d8b783fd484faa89614b4b045b08516c0ba244bf307ac9e81ebc5a81f74e849a7e471ee405b3a429510e3225fa874a607c9696638052dbf2a94958
-
C:\Users\Admin\Desktop\UnlockConvertFrom.crw.EDD-183-890MD5
8a06f3c5872deac422e7a7ec4cd2341a
SHA18dbe710763530abcb19ac8330c769c6281f0d513
SHA256adcb18c0b161967ad03577dd71363965c3fdbe0e77dd55e5225b3ccb956fe442
SHA512a1e49e7897f0e17b5733985d0012019af28c8cf515eec885fe6a6bf6afd756a9b0d718012cbe84d6fad306a7564438ad004f89d4a58309f50f5feeee2131eba5
-
memory/556-16-0x0000000000000000-mapping.dmp
-
memory/1288-17-0x0000000000000000-mapping.dmp
-
memory/2144-7-0x0000000000000000-mapping.dmp
-
memory/2908-42-0x0000000000000000-mapping.dmp
-
memory/2908-41-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/3428-0-0x0000000000000000-mapping.dmp
-
memory/3456-6-0x0000000000000000-mapping.dmp
-
memory/3460-5-0x0000000000000000-mapping.dmp
-
memory/3684-3-0x0000000002F60000-0x0000000002F61000-memory.dmpFilesize
4KB
-
memory/3684-4-0x0000000000000000-mapping.dmp
-
memory/4044-11-0x0000000000000000-mapping.dmp
-
memory/4084-9-0x0000000000000000-mapping.dmp
-
memory/4300-8-0x0000000000000000-mapping.dmp
-
memory/4372-10-0x0000000000000000-mapping.dmp
-
memory/4508-13-0x0000000000000000-mapping.dmp
-
memory/4532-14-0x0000000000000000-mapping.dmp