Analysis
-
max time kernel
154s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 15:33
Static task
static1
Behavioral task
behavioral1
Sample
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Resource
win10v20201028
General
-
Target
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
-
Size
212KB
-
MD5
723825ad69a5d55a1e5ed3d1ee831f0d
-
SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a
-
SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
-
SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
Malware Config
Extracted
C:\RECOVERY DATA INFORMATION.TXT
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 2740 services.exe 1304 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\S: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\B: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 9273 IoCs
Processes:
services.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Windows Defender\ThirdPartyNotices.txt services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.2A3-294-AF4 services.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\RECOVERY DATA INFORMATION.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML services.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\RECOVERY DATA INFORMATION.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlb services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui services.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm.2A3-294-AF4 services.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo services.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICI.TTF services.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] services.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\excelmui.msi.16.en-us.vreg.dat.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.2A3-294-AF4 services.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginReport.Dotx.2A3-294-AF4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms services.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 672 vssadmin.exe 636 vssadmin.exe -
Processes:
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe -
Suspicious use of AdjustPrivilegeToken 87 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3160 WMIC.exe Token: SeSecurityPrivilege 3160 WMIC.exe Token: SeTakeOwnershipPrivilege 3160 WMIC.exe Token: SeLoadDriverPrivilege 3160 WMIC.exe Token: SeSystemProfilePrivilege 3160 WMIC.exe Token: SeSystemtimePrivilege 3160 WMIC.exe Token: SeProfSingleProcessPrivilege 3160 WMIC.exe Token: SeIncBasePriorityPrivilege 3160 WMIC.exe Token: SeCreatePagefilePrivilege 3160 WMIC.exe Token: SeBackupPrivilege 3160 WMIC.exe Token: SeRestorePrivilege 3160 WMIC.exe Token: SeShutdownPrivilege 3160 WMIC.exe Token: SeDebugPrivilege 3160 WMIC.exe Token: SeSystemEnvironmentPrivilege 3160 WMIC.exe Token: SeRemoteShutdownPrivilege 3160 WMIC.exe Token: SeUndockPrivilege 3160 WMIC.exe Token: SeManageVolumePrivilege 3160 WMIC.exe Token: 33 3160 WMIC.exe Token: 34 3160 WMIC.exe Token: 35 3160 WMIC.exe Token: 36 3160 WMIC.exe Token: SeIncreaseQuotaPrivilege 640 WMIC.exe Token: SeSecurityPrivilege 640 WMIC.exe Token: SeTakeOwnershipPrivilege 640 WMIC.exe Token: SeLoadDriverPrivilege 640 WMIC.exe Token: SeSystemProfilePrivilege 640 WMIC.exe Token: SeSystemtimePrivilege 640 WMIC.exe Token: SeProfSingleProcessPrivilege 640 WMIC.exe Token: SeIncBasePriorityPrivilege 640 WMIC.exe Token: SeCreatePagefilePrivilege 640 WMIC.exe Token: SeBackupPrivilege 640 WMIC.exe Token: SeRestorePrivilege 640 WMIC.exe Token: SeShutdownPrivilege 640 WMIC.exe Token: SeDebugPrivilege 640 WMIC.exe Token: SeSystemEnvironmentPrivilege 640 WMIC.exe Token: SeRemoteShutdownPrivilege 640 WMIC.exe Token: SeUndockPrivilege 640 WMIC.exe Token: SeManageVolumePrivilege 640 WMIC.exe Token: 33 640 WMIC.exe Token: 34 640 WMIC.exe Token: 35 640 WMIC.exe Token: 36 640 WMIC.exe Token: SeBackupPrivilege 1000 vssvc.exe Token: SeRestorePrivilege 1000 vssvc.exe Token: SeAuditPrivilege 1000 vssvc.exe Token: SeIncreaseQuotaPrivilege 3160 WMIC.exe Token: SeIncreaseQuotaPrivilege 640 WMIC.exe Token: SeSecurityPrivilege 640 WMIC.exe Token: SeSecurityPrivilege 3160 WMIC.exe Token: SeTakeOwnershipPrivilege 640 WMIC.exe Token: SeTakeOwnershipPrivilege 3160 WMIC.exe Token: SeLoadDriverPrivilege 640 WMIC.exe Token: SeLoadDriverPrivilege 3160 WMIC.exe Token: SeSystemProfilePrivilege 640 WMIC.exe Token: SeSystemProfilePrivilege 3160 WMIC.exe Token: SeSystemtimePrivilege 640 WMIC.exe Token: SeSystemtimePrivilege 3160 WMIC.exe Token: SeProfSingleProcessPrivilege 640 WMIC.exe Token: SeProfSingleProcessPrivilege 3160 WMIC.exe Token: SeIncBasePriorityPrivilege 640 WMIC.exe Token: SeIncBasePriorityPrivilege 3160 WMIC.exe Token: SeCreatePagefilePrivilege 640 WMIC.exe Token: SeCreatePagefilePrivilege 3160 WMIC.exe Token: SeBackupPrivilege 640 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 500 wrote to memory of 2740 500 f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe services.exe PID 500 wrote to memory of 2740 500 f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe services.exe PID 500 wrote to memory of 2740 500 f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe services.exe PID 2740 wrote to memory of 3748 2740 services.exe cmd.exe PID 2740 wrote to memory of 3748 2740 services.exe cmd.exe PID 2740 wrote to memory of 3748 2740 services.exe cmd.exe PID 2740 wrote to memory of 4088 2740 services.exe cmd.exe PID 2740 wrote to memory of 4088 2740 services.exe cmd.exe PID 2740 wrote to memory of 4088 2740 services.exe cmd.exe PID 2740 wrote to memory of 2716 2740 services.exe cmd.exe PID 2740 wrote to memory of 2716 2740 services.exe cmd.exe PID 2740 wrote to memory of 2716 2740 services.exe cmd.exe PID 2740 wrote to memory of 2772 2740 services.exe cmd.exe PID 2740 wrote to memory of 2772 2740 services.exe cmd.exe PID 2740 wrote to memory of 2772 2740 services.exe cmd.exe PID 2740 wrote to memory of 3396 2740 services.exe cmd.exe PID 2740 wrote to memory of 3396 2740 services.exe cmd.exe PID 2740 wrote to memory of 3396 2740 services.exe cmd.exe PID 2740 wrote to memory of 3476 2740 services.exe cmd.exe PID 2740 wrote to memory of 3476 2740 services.exe cmd.exe PID 2740 wrote to memory of 3476 2740 services.exe cmd.exe PID 2740 wrote to memory of 1304 2740 services.exe services.exe PID 2740 wrote to memory of 1304 2740 services.exe services.exe PID 2740 wrote to memory of 1304 2740 services.exe services.exe PID 3396 wrote to memory of 672 3396 cmd.exe vssadmin.exe PID 3396 wrote to memory of 672 3396 cmd.exe vssadmin.exe PID 3396 wrote to memory of 672 3396 cmd.exe vssadmin.exe PID 3748 wrote to memory of 640 3748 cmd.exe WMIC.exe PID 3748 wrote to memory of 640 3748 cmd.exe WMIC.exe PID 3748 wrote to memory of 640 3748 cmd.exe WMIC.exe PID 3476 wrote to memory of 3160 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3160 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3160 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 636 3476 cmd.exe vssadmin.exe PID 3476 wrote to memory of 636 3476 cmd.exe vssadmin.exe PID 3476 wrote to memory of 636 3476 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe"C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
94b4ad73963959e339923ddcabf6b331
SHA1aa2c6af08dd5478d326c90ef2146c3ee2a7b55b2
SHA2568945240c6d037d35d6124ac4b9815a8d74d785fa30c2c4b2fd54ed2fb68f58f4
SHA512aefafb7d184e5564bdc65311e52619950f603fb89259de2af3b8f9fa05c346bf9e3f33b9cbe05a01389ef97642c7e37299ce8b9b4f3cb9f6d4e9a6877c537126
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c6f27d5d1ee450d3400bf13e0804fce6
SHA12d0505f90eca6a49ca15b742aa5ef9ef01c7af41
SHA2562c01ba329cfb39b6141b3c98d662ba24eb458e051fb7de79f975e681e8b4327a
SHA51275687ddffd7021a033d19049f0cc05bbccd97a1433c06738a04590ed660996f669838514fe9f3b7c4b2eb494cf8a594f54bab1446cc915da4a042c3a327adc3d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
42ec4a7f1c20eacdf7f35679a47e8687
SHA1f3e80c0b7adc162787f7acca32436f589758a34a
SHA256baa429e7608442e29ec79669922b9864d4a26a316dfc4f0a30482adfdd76d39a
SHA512d5356ad18e2cc077d09eb721939487314b5fb7ec0291dab499b74ffd6ba58625959635829ca0fa8d3eb69f5c2faa481c87edea4e22b93ad25180f5a9d626093a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
1179e475f6b4917142345837c10bfec2
SHA156456206cf924d22cff8e531d29db838c5e2d0e8
SHA25670a8e634f9a6e24c5fad195c47f23a5bbef4879ec541e1dbcc54dc9970c9235a
SHA5128bcb0f80187225ade21a0a3e8bf53f97c35a7db81db4c8530140f40377d177b6bf546235038051dd8aaceba75666959703332f3209c50259516468777d3a3da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
9c697b6f7bb8bca34650e0bc13fd8cf2
SHA141d956cc1f485162bf917c0d4bfac8a46adcdacd
SHA2564a6c36b8e522db6c536aae4e632761150d48d1fa613a3f692678bc42f8fc8214
SHA512bd0dffdc8d55e29226390d8340d8f43e4ec78c472159b43517ca81924aa0c8beacb4ca46c1b68bfb78cd343b35ed15b562b38fc08c52010857c65cddd9c55e9f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\DNQPS1KB.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\FJFVXWXG.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
78215698f8f9dc7941c9c287642bd02c
SHA1633cd0a6c76f080cdb6e0c98034b0b5dd7283a47
SHA256dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5
SHA512c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
723825ad69a5d55a1e5ed3d1ee831f0d
SHA17e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
723825ad69a5d55a1e5ed3d1ee831f0d
SHA17e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
723825ad69a5d55a1e5ed3d1ee831f0d
SHA17e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
-
memory/636-23-0x0000000000000000-mapping.dmp
-
memory/640-21-0x0000000000000000-mapping.dmp
-
memory/672-20-0x0000000000000000-mapping.dmp
-
memory/1304-17-0x0000000000000000-mapping.dmp
-
memory/2716-13-0x0000000000000000-mapping.dmp
-
memory/2740-0-0x0000000000000000-mapping.dmp
-
memory/2772-14-0x0000000000000000-mapping.dmp
-
memory/3160-22-0x0000000000000000-mapping.dmp
-
memory/3396-15-0x0000000000000000-mapping.dmp
-
memory/3476-16-0x0000000000000000-mapping.dmp
-
memory/3748-11-0x0000000000000000-mapping.dmp
-
memory/4088-12-0x0000000000000000-mapping.dmp