Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-12-2020 17:11
Static task
static1
Behavioral task
behavioral1
Sample
TrustedInstaller.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TrustedInstaller.exe
Resource
win10v20201028
General
-
Target
TrustedInstaller.exe
-
Size
449KB
-
MD5
574f031251f67bcc6ea9168364d2fbfd
-
SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb
-
SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
-
SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
wiruxa@airmail.cc
anygrishevich@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
smss.exesmss.exepid process 1888 smss.exe 1756 smss.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1836 notepad.exe -
Loads dropped DLL 1 IoCs
Processes:
TrustedInstaller.exepid process 1828 TrustedInstaller.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
TrustedInstaller.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run TrustedInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" TrustedInstaller.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smss.exedescription ioc process File opened (read-only) \??\X: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\F: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\K: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Drops file in Program Files directory 13575 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif smss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00834_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103058.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00494_.WMF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01682_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00171_.GIF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jre7\LICENSE.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232395.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297269.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UCT.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_F_COL.HXK.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv smss.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.A3D-0BC-6D1 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF.A3D-0BC-6D1 smss.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1676 vssadmin.exe 1392 vssadmin.exe -
Processes:
TrustedInstaller.exesmss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 TrustedInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e TrustedInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e TrustedInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e smss.exe -
Suspicious behavior: EnumeratesProcesses 1182 IoCs
Processes:
smss.exepid process 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe 1888 smss.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
TrustedInstaller.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1828 TrustedInstaller.exe Token: SeDebugPrivilege 1828 TrustedInstaller.exe Token: SeIncreaseQuotaPrivilege 816 WMIC.exe Token: SeSecurityPrivilege 816 WMIC.exe Token: SeTakeOwnershipPrivilege 816 WMIC.exe Token: SeLoadDriverPrivilege 816 WMIC.exe Token: SeSystemProfilePrivilege 816 WMIC.exe Token: SeSystemtimePrivilege 816 WMIC.exe Token: SeProfSingleProcessPrivilege 816 WMIC.exe Token: SeIncBasePriorityPrivilege 816 WMIC.exe Token: SeCreatePagefilePrivilege 816 WMIC.exe Token: SeBackupPrivilege 816 WMIC.exe Token: SeRestorePrivilege 816 WMIC.exe Token: SeShutdownPrivilege 816 WMIC.exe Token: SeDebugPrivilege 816 WMIC.exe Token: SeSystemEnvironmentPrivilege 816 WMIC.exe Token: SeRemoteShutdownPrivilege 816 WMIC.exe Token: SeUndockPrivilege 816 WMIC.exe Token: SeManageVolumePrivilege 816 WMIC.exe Token: 33 816 WMIC.exe Token: 34 816 WMIC.exe Token: 35 816 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
TrustedInstaller.exesmss.execmd.execmd.execmd.exedescription pid process target process PID 1828 wrote to memory of 1888 1828 TrustedInstaller.exe smss.exe PID 1828 wrote to memory of 1888 1828 TrustedInstaller.exe smss.exe PID 1828 wrote to memory of 1888 1828 TrustedInstaller.exe smss.exe PID 1828 wrote to memory of 1888 1828 TrustedInstaller.exe smss.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1828 wrote to memory of 1836 1828 TrustedInstaller.exe notepad.exe PID 1888 wrote to memory of 1028 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1028 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1028 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1028 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1560 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1560 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1560 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1560 1888 smss.exe cmd.exe PID 1888 wrote to memory of 812 1888 smss.exe cmd.exe PID 1888 wrote to memory of 812 1888 smss.exe cmd.exe PID 1888 wrote to memory of 812 1888 smss.exe cmd.exe PID 1888 wrote to memory of 812 1888 smss.exe cmd.exe PID 1888 wrote to memory of 628 1888 smss.exe cmd.exe PID 1888 wrote to memory of 628 1888 smss.exe cmd.exe PID 1888 wrote to memory of 628 1888 smss.exe cmd.exe PID 1888 wrote to memory of 628 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1192 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1192 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1192 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1192 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1648 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1648 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1648 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1648 1888 smss.exe cmd.exe PID 1888 wrote to memory of 1756 1888 smss.exe smss.exe PID 1888 wrote to memory of 1756 1888 smss.exe smss.exe PID 1888 wrote to memory of 1756 1888 smss.exe smss.exe PID 1888 wrote to memory of 1756 1888 smss.exe smss.exe PID 1028 wrote to memory of 816 1028 cmd.exe WMIC.exe PID 1028 wrote to memory of 816 1028 cmd.exe WMIC.exe PID 1028 wrote to memory of 816 1028 cmd.exe WMIC.exe PID 1028 wrote to memory of 816 1028 cmd.exe WMIC.exe PID 1192 wrote to memory of 1676 1192 cmd.exe vssadmin.exe PID 1192 wrote to memory of 1676 1192 cmd.exe vssadmin.exe PID 1192 wrote to memory of 1676 1192 cmd.exe vssadmin.exe PID 1192 wrote to memory of 1676 1192 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1776 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1776 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1776 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1776 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1392 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1392 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1392 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1392 1648 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
85934f14cc9248f76c58dc21180b4f15
SHA15ae41d9bea1cd413260de621f2302febd1e00323
SHA2560d0b47c2e46b455f2d5b2bc0893585790da8a86e36f4a45311bf0a579a5efe58
SHA5128496972fcf149a5df72b1a9aef3865c27fe0b9cba9e3af03b0a562c8b64a89d8834a3c18008d1610fab0741decadfdb1c14f9c1b9d1307bbb23a0b6a148b5e88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
4bddfe3851f7aa064be1b88af5e4516d
SHA12619398420a8e45f8f68c7c02ff2fd8c5ae3f18a
SHA2561427416bef65c2419a8fc224206c5131d6d7b391bc74faae87859640ce0fc3dc
SHA5121874f93cc946fe5a1f1852f0bb740247cb8835993d7cd217e1347af794b6f606c9ad9c1b6b0604c229296d170961c88d0b31824b9f854d326fe8b10557e84040
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a54e6020d8dade29e93e679d7d067676
SHA11ff53fa146566b3dc7a4dc43c91650a89b0bca5f
SHA2563762d5141f299aa6d5bb5197aa8459d1741a4602c875a14531b77ebc861c7bbb
SHA51287da29500b7ca80c15eea68253298c50073e2c643aae474b700ddd8117f7eac6bd53fc9a5358aa2bebe513e2041ca101337a13f21f0ef16450607ecc7f57b43d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
50f7ecae8c22042454f3102f76afdd74
SHA1b355b6e95e3521eed1b11f2fb43063d7946ff2eb
SHA256e0d6d3c4c205a2e9f1887a19847d7bbe10b958648e25bee82c2de91e755cd4c9
SHA512b198b326beaec5db464a536343e30d467200be9442714ad5a85ff9b6ab16be79c2a98f3867b8cb185582401c448704ec5890491ed76fc86b4e614417eeadd79d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
34d6b04d324ac57a7783963b9b7dddfc
SHA1c241ad7f46d92e0353048a64149bdc1674183a8f
SHA2560cd0d960b8b307b1eae1c450d283ce77229489238dddf9332164744890c13816
SHA5129907c7610e97da8d01f3849ffb5597c71575c1e15d6fe80f5f3818f8b9ea24b4d1213cac75f42dfd9a754e592473adf3e0c9ed69aa1bdf3e325cb04190816e86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
02d1a233e8a93d9c59bec35983c02e63
SHA1027b63a488bfaaca5b4bd27d4a16c0e60d78b78d
SHA256831a3de4d5b34d929c8d8b89678b6c4a46fae8a5844a217f045d310454cae4d7
SHA512ce01e8d820b0f5ba42b663f47861e57c8fc41b0e6eb01e15891cc8ed6c854fb540e3730ac83e84ec0853def2e863ca620748f098e04d4e3285580f35d0c5725a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
b86a48ef732298e70da951866142ac23
SHA16798de65aa13dcee04bbf85f092246f670440739
SHA25665a2bbc49dea73024d1aec8392181f1e84bfe555d0704318a51bac84d1f4fda5
SHA51231f2405676ee467f315287bd3fac51707ee273aac21307ddd1b6e37a90d08cf54a28fc2c5558ceb78bff5819d5e8a644cdf3583d40425dfa5a124afd8d3ac2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\Z6CQZJWK.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\XUEUIXT0.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
memory/628-20-0x0000000000000000-mapping.dmp
-
memory/812-19-0x0000000000000000-mapping.dmp
-
memory/816-25-0x0000000000000000-mapping.dmp
-
memory/1028-17-0x0000000000000000-mapping.dmp
-
memory/1192-21-0x0000000000000000-mapping.dmp
-
memory/1392-29-0x0000000000000000-mapping.dmp
-
memory/1560-18-0x0000000000000000-mapping.dmp
-
memory/1572-2-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmpFilesize
2.5MB
-
memory/1648-22-0x0000000000000000-mapping.dmp
-
memory/1676-27-0x0000000000000000-mapping.dmp
-
memory/1756-23-0x0000000000000000-mapping.dmp
-
memory/1776-28-0x0000000000000000-mapping.dmp
-
memory/1836-6-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1836-7-0x0000000000000000-mapping.dmp
-
memory/1888-4-0x0000000000000000-mapping.dmp