Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
304s -
max time network
448s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
default.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral28
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10v20201028
General
-
Target
default.exe
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 4208 csrss.exe 4488 csrss.exe -
Deletes itself 1 IoCs
pid Process 3264 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run default.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" default.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\F: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\B: csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.13A-721-97F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js.13A-721-97F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif.13A-721-97F csrss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.13A-721-97F csrss.exe File created C:\Program Files\VideoLAN\VLC\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-high.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif csrss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.Views\Images\Frown.png csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg csrss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.13A-721-97F csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\Web_Surfing_.png csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\5.rsrc csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_24x24x32.png csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd2.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js.13A-721-97F csrss.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu-press.png csrss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.13A-721-97F csrss.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png csrss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8268_32x32x32.png csrss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-200.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_share_18.svg.13A-721-97F csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.13A-721-97F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts.13A-721-97F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.13A-721-97F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub csrss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\evilgrin.png csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.13A-721-97F csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_32x32x32.png csrss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js.13A-721-97F csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js.13A-721-97F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt csrss.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo csrss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-100.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif.13A-721-97F csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.13A-721-97F csrss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png.13A-721-97F csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg.13A-721-97F csrss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\ui-strings.js csrss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2600 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 default.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e default.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4772 default.exe Token: SeDebugPrivilege 4772 default.exe Token: SeDebugPrivilege 4208 csrss.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe Token: 36 1620 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe Token: 36 1620 WMIC.exe Token: SeBackupPrivilege 2160 vssvc.exe Token: SeRestorePrivilege 2160 vssvc.exe Token: SeAuditPrivilege 2160 vssvc.exe Token: SeDebugPrivilege 4208 csrss.exe Token: SeDebugPrivilege 4208 csrss.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4208 4772 default.exe 76 PID 4772 wrote to memory of 4208 4772 default.exe 76 PID 4772 wrote to memory of 4208 4772 default.exe 76 PID 4772 wrote to memory of 3264 4772 default.exe 77 PID 4772 wrote to memory of 3264 4772 default.exe 77 PID 4772 wrote to memory of 3264 4772 default.exe 77 PID 4772 wrote to memory of 3264 4772 default.exe 77 PID 4772 wrote to memory of 3264 4772 default.exe 77 PID 4772 wrote to memory of 3264 4772 default.exe 77 PID 4208 wrote to memory of 4488 4208 csrss.exe 81 PID 4208 wrote to memory of 4488 4208 csrss.exe 81 PID 4208 wrote to memory of 4488 4208 csrss.exe 81 PID 4208 wrote to memory of 4480 4208 csrss.exe 82 PID 4208 wrote to memory of 4480 4208 csrss.exe 82 PID 4208 wrote to memory of 4480 4208 csrss.exe 82 PID 4208 wrote to memory of 4560 4208 csrss.exe 84 PID 4208 wrote to memory of 4560 4208 csrss.exe 84 PID 4208 wrote to memory of 4560 4208 csrss.exe 84 PID 4208 wrote to memory of 4600 4208 csrss.exe 86 PID 4208 wrote to memory of 4600 4208 csrss.exe 86 PID 4208 wrote to memory of 4600 4208 csrss.exe 86 PID 4208 wrote to memory of 4660 4208 csrss.exe 88 PID 4208 wrote to memory of 4660 4208 csrss.exe 88 PID 4208 wrote to memory of 4660 4208 csrss.exe 88 PID 4208 wrote to memory of 636 4208 csrss.exe 90 PID 4208 wrote to memory of 636 4208 csrss.exe 90 PID 4208 wrote to memory of 636 4208 csrss.exe 90 PID 4208 wrote to memory of 1180 4208 csrss.exe 92 PID 4208 wrote to memory of 1180 4208 csrss.exe 92 PID 4208 wrote to memory of 1180 4208 csrss.exe 92 PID 4208 wrote to memory of 1404 4208 csrss.exe 94 PID 4208 wrote to memory of 1404 4208 csrss.exe 94 PID 4208 wrote to memory of 1404 4208 csrss.exe 94 PID 1404 wrote to memory of 1620 1404 cmd.exe 96 PID 1404 wrote to memory of 1620 1404 cmd.exe 96 PID 1404 wrote to memory of 1620 1404 cmd.exe 96 PID 4208 wrote to memory of 2548 4208 csrss.exe 99 PID 4208 wrote to memory of 2548 4208 csrss.exe 99 PID 4208 wrote to memory of 2548 4208 csrss.exe 99 PID 2548 wrote to memory of 2600 2548 cmd.exe 101 PID 2548 wrote to memory of 2600 2548 cmd.exe 101 PID 2548 wrote to memory of 2600 2548 cmd.exe 101 PID 4208 wrote to memory of 196 4208 csrss.exe 103 PID 4208 wrote to memory of 196 4208 csrss.exe 103 PID 4208 wrote to memory of 196 4208 csrss.exe 103 PID 4208 wrote to memory of 196 4208 csrss.exe 103 PID 4208 wrote to memory of 196 4208 csrss.exe 103 PID 4208 wrote to memory of 196 4208 csrss.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\default.exe"C:\Users\Admin\AppData\Local\Temp\default.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:4480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:4560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:4600
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵PID:4660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵PID:636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵PID:1180
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2600
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:196
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:3264
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160