buran | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
304s
max time network
448s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default.exe

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 13A-721-97F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

4208 csrss.exe
4488 csrss.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3264 notepad.exe

pid	process
4208	csrss.exe
4488	csrss.exe

pid	process
3264	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	default.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 geoiptool.com

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif.13A-721-97F	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.13A-721-97F	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-high.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.Views\Images\Frown.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\Web_Surfing_.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\5.rsrc	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_24x24x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd2.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js.13A-721-97F	csrss.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu-press.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.13A-721-97F	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8268_32x32x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_share_18.svg.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\evilgrin.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_32x32x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg.13A-721-97F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\ui-strings.js	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2600 vssadmin.exe

pid	process
2600	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

default.execsrss.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4772	default.exe
Token: SeDebugPrivilege	4772	default.exe
Token: SeDebugPrivilege	4208	csrss.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: 36	1620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: 36	1620	WMIC.exe
Token: SeBackupPrivilege	2160	vssvc.exe
Token: SeRestorePrivilege	2160	vssvc.exe
Token: SeAuditPrivilege	2160	vssvc.exe
Token: SeDebugPrivilege	4208	csrss.exe
Token: SeDebugPrivilege	4208	csrss.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

default.execsrss.execmd.execmd.exe

description	pid	process	target process
PID 4772 wrote to memory of 4208	4772	default.exe	csrss.exe
PID 4772 wrote to memory of 4208	4772	default.exe	csrss.exe
PID 4772 wrote to memory of 4208	4772	default.exe	csrss.exe
PID 4772 wrote to memory of 3264	4772	default.exe	notepad.exe
PID 4772 wrote to memory of 3264	4772	default.exe	notepad.exe
PID 4772 wrote to memory of 3264	4772	default.exe	notepad.exe
PID 4772 wrote to memory of 3264	4772	default.exe	notepad.exe
PID 4772 wrote to memory of 3264	4772	default.exe	notepad.exe
PID 4772 wrote to memory of 3264	4772	default.exe	notepad.exe
PID 4208 wrote to memory of 4488	4208	csrss.exe	csrss.exe
PID 4208 wrote to memory of 4488	4208	csrss.exe	csrss.exe
PID 4208 wrote to memory of 4488	4208	csrss.exe	csrss.exe
PID 4208 wrote to memory of 4480	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4480	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4480	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4560	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4560	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4560	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4600	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4600	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4600	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4660	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4660	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 4660	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 636	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 636	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 636	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 1180	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 1180	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 1180	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 1404	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 1404	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 1404	4208	csrss.exe	cmd.exe
PID 1404 wrote to memory of 1620	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 1620	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 1620	1404	cmd.exe	WMIC.exe
PID 4208 wrote to memory of 2548	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 2548	4208	csrss.exe	cmd.exe
PID 4208 wrote to memory of 2548	4208	csrss.exe	cmd.exe
PID 2548 wrote to memory of 2600	2548	cmd.exe	vssadmin.exe
PID 2548 wrote to memory of 2600	2548	cmd.exe	vssadmin.exe
PID 2548 wrote to memory of 2600	2548	cmd.exe	vssadmin.exe
PID 4208 wrote to memory of 196	4208	csrss.exe	notepad.exe
PID 4208 wrote to memory of 196	4208	csrss.exe	notepad.exe
PID 4208 wrote to memory of 196	4208	csrss.exe	notepad.exe
PID 4208 wrote to memory of 196	4208	csrss.exe	notepad.exe
PID 4208 wrote to memory of 196	4208	csrss.exe	notepad.exe
PID 4208 wrote to memory of 196	4208	csrss.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\default.exe
"C:\Users\Admin\AppData\Local\Temp\default.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2600

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:196

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:3264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\VTDZ4VWC.htm

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\ASKNT69L.htm

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Download Submit
C:\Users\Admin\Desktop\ConfirmComplete.eps.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\ConvertCompare.mpeg.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\DisconnectGroup.csv.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\DisconnectRemove.wmf.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\GetSkip.mp2.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\InvokeTest.lock.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\JoinCompress.css.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\ReadMove.wmf.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RedoLock.ppsx.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RegisterAdd.iso.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RegisterOptimize.mpeg.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RenameSync.emz.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RepairPop.avi.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RestartResume.M2V.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\RevokeFind.m1v.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\SendReset.pdf.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\SetRestore.TTS.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\SplitSelect.xltx.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\SuspendCheckpoint.midi.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\SuspendGrant.dwfx.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\SuspendSync.vstm.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\UnblockConvertFrom.tmp.13A-721-97F

Download Submit
C:\Users\Admin\Desktop\UninstallCompress.ADT.13A-721-97F

Download Submit
memory/196-48-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/196-49-0x0000000000000000-mapping.dmp

Download
memory/636-19-0x0000000000000000-mapping.dmp

Download
memory/1180-20-0x0000000000000000-mapping.dmp

Download
memory/1404-21-0x0000000000000000-mapping.dmp

Download
memory/1620-22-0x0000000000000000-mapping.dmp

Download
memory/2548-23-0x0000000000000000-mapping.dmp

Download
memory/2600-24-0x0000000000000000-mapping.dmp

Download
memory/3264-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3264-4-0x0000000000000000-mapping.dmp

Download
memory/4208-0-0x0000000000000000-mapping.dmp

Download
memory/4480-15-0x0000000000000000-mapping.dmp

Download
memory/4488-13-0x0000000000000000-mapping.dmp

Download
memory/4560-16-0x0000000000000000-mapping.dmp

Download
memory/4600-17-0x0000000000000000-mapping.dmp

Download
memory/4660-18-0x0000000000000000-mapping.dmp

Download