Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-11-2020 21:28
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20201028
General
-
Target
lsass.exe
-
Size
214KB
-
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1
-
SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec
-
SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
-
SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
tomriddle1337@cock.li
riddletom1337@protonmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 2756 services.exe 1432 services.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1636 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" lsass.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\P: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\O: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 23156 IoCs
Processes:
services.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4583_24x24x32.png services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\LargeTile.scale-100.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Dark.scale-180.png services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.608-BE8-D51 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML.608-BE8-D51 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.608-BE8-D51 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.ELM services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.608-BE8-D51 services.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\classlist.608-BE8-D51 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7296_48x48x32.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js.608-BE8-D51 services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\ui-strings.js.608-BE8-D51 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.608-BE8-D51 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mz_16x11.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\ui-strings.js services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png services.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg services.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Get_Started_icon.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\SmallTile.scale-200.png services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Printer Settings.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Back\Back-over.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\editpdf.svg services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\s_empty_folder_state.svg.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-150.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8498_40x40x32.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30.png services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.608-BE8-D51 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-80.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started.png services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_RTL_Tablet.mp4 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.608-BE8-D51 services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\ProjectionPlanar.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_10h.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-150.png services.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3956 vssadmin.exe 2064 vssadmin.exe -
Processes:
lsass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe -
Suspicious behavior: EnumeratesProcesses 7414 IoCs
Processes:
services.exepid process 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe 2756 services.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
lsass.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 3988 lsass.exe Token: SeDebugPrivilege 3988 lsass.exe Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: 36 2688 WMIC.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: 36 3028 WMIC.exe Token: SeBackupPrivilege 1272 vssvc.exe Token: SeRestorePrivilege 1272 vssvc.exe Token: SeAuditPrivilege 1272 vssvc.exe Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
lsass.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 3988 wrote to memory of 2756 3988 lsass.exe services.exe PID 3988 wrote to memory of 2756 3988 lsass.exe services.exe PID 3988 wrote to memory of 2756 3988 lsass.exe services.exe PID 3988 wrote to memory of 1636 3988 lsass.exe notepad.exe PID 3988 wrote to memory of 1636 3988 lsass.exe notepad.exe PID 3988 wrote to memory of 1636 3988 lsass.exe notepad.exe PID 3988 wrote to memory of 1636 3988 lsass.exe notepad.exe PID 3988 wrote to memory of 1636 3988 lsass.exe notepad.exe PID 3988 wrote to memory of 1636 3988 lsass.exe notepad.exe PID 2756 wrote to memory of 480 2756 services.exe cmd.exe PID 2756 wrote to memory of 480 2756 services.exe cmd.exe PID 2756 wrote to memory of 480 2756 services.exe cmd.exe PID 2756 wrote to memory of 908 2756 services.exe cmd.exe PID 2756 wrote to memory of 908 2756 services.exe cmd.exe PID 2756 wrote to memory of 908 2756 services.exe cmd.exe PID 2756 wrote to memory of 3828 2756 services.exe cmd.exe PID 2756 wrote to memory of 3828 2756 services.exe cmd.exe PID 2756 wrote to memory of 3828 2756 services.exe cmd.exe PID 2756 wrote to memory of 3856 2756 services.exe cmd.exe PID 2756 wrote to memory of 3856 2756 services.exe cmd.exe PID 2756 wrote to memory of 3856 2756 services.exe cmd.exe PID 2756 wrote to memory of 2500 2756 services.exe cmd.exe PID 2756 wrote to memory of 2500 2756 services.exe cmd.exe PID 2756 wrote to memory of 2500 2756 services.exe cmd.exe PID 2756 wrote to memory of 4000 2756 services.exe cmd.exe PID 2756 wrote to memory of 4000 2756 services.exe cmd.exe PID 2756 wrote to memory of 4000 2756 services.exe cmd.exe PID 2756 wrote to memory of 1432 2756 services.exe services.exe PID 2756 wrote to memory of 1432 2756 services.exe services.exe PID 2756 wrote to memory of 1432 2756 services.exe services.exe PID 480 wrote to memory of 3028 480 cmd.exe WMIC.exe PID 480 wrote to memory of 3028 480 cmd.exe WMIC.exe PID 480 wrote to memory of 3028 480 cmd.exe WMIC.exe PID 4000 wrote to memory of 2688 4000 cmd.exe WMIC.exe PID 4000 wrote to memory of 2688 4000 cmd.exe WMIC.exe PID 4000 wrote to memory of 2688 4000 cmd.exe WMIC.exe PID 2500 wrote to memory of 3956 2500 cmd.exe vssadmin.exe PID 2500 wrote to memory of 3956 2500 cmd.exe vssadmin.exe PID 2500 wrote to memory of 3956 2500 cmd.exe vssadmin.exe PID 4000 wrote to memory of 2064 4000 cmd.exe vssadmin.exe PID 4000 wrote to memory of 2064 4000 cmd.exe vssadmin.exe PID 4000 wrote to memory of 2064 4000 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
e5be8c65934ad0c00c584026d085108e
SHA16ce4c8bc54630bf9f70d3fe93ce91bf44004439f
SHA25668413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315
SHA51250470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3bf227caeee1b07d47b29873a1640f1a
SHA161af6e587db89d7d7f518bb1e16c2d73451e5ed6
SHA25630becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980
SHA51229a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
35aca68d66bdd9e4a95bda5f3c538df8
SHA1751dd5064f0ebe281a1c7f62d7b843b060358b4c
SHA256cd2148e565e406a19219e48a0863c181f80b1989a9fbb35f41ff02d7944a3141
SHA5128a7cc64df7352f741496fc70c6bd71cdb5e3c501dd25e587af23c2b7e9a31258e2f56e0d0fa3d24c5de71e6e06a39f40c309b892e1e8129439ceefbd218a86cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
10d74ff50c4d114f978062a58aa2c5aa
SHA1ac9ef94568b908ec006b93fdb6f2d747d198f209
SHA2565c484cbae43e72381ba1d62df7d2dda11f918c69621ebecc427a8d7ad6fa2bb3
SHA512800c38c0f9ad4d59f9c4297ff4b209d668656d5b0e43c6f6fb3bf67e6527709842ed6fdf60aa7ed3a5b7022017835e547f3d35b0293c5e658a3a699ef953ba5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
afb42e4a399444bd72dec8e27dd3ae27
SHA16b31b9dd80d88dda85eef7e6a6949554b9c0fe0e
SHA2567a567b8941ddfdd89a908e42370e989b16279fccb0b8de2862802c5017d159da
SHA5121ec707e9f14b6537df6d2e2d8ecd24ca9e7c3e4640fced2bf67418827b9c1e0882b60e360f39fa76f9994ee360b4a584c889195ef2769bc9a88ee0853ba30026
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\32N1POL7.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\9BKPPHZT.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
memory/480-13-0x0000000000000000-mapping.dmp
-
memory/908-14-0x0000000000000000-mapping.dmp
-
memory/1432-19-0x0000000000000000-mapping.dmp
-
memory/1636-3-0x0000000003090000-0x0000000003091000-memory.dmpFilesize
4KB
-
memory/1636-4-0x0000000000000000-mapping.dmp
-
memory/2064-25-0x0000000000000000-mapping.dmp
-
memory/2500-17-0x0000000000000000-mapping.dmp
-
memory/2688-23-0x0000000000000000-mapping.dmp
-
memory/2756-0-0x0000000000000000-mapping.dmp
-
memory/3028-22-0x0000000000000000-mapping.dmp
-
memory/3828-15-0x0000000000000000-mapping.dmp
-
memory/3856-16-0x0000000000000000-mapping.dmp
-
memory/3956-24-0x0000000000000000-mapping.dmp
-
memory/4000-18-0x0000000000000000-mapping.dmp