Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 17:11
Static task
static1
Behavioral task
behavioral1
Sample
TrustedInstaller.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TrustedInstaller.exe
Resource
win10v20201028
General
-
Target
TrustedInstaller.exe
-
Size
449KB
-
MD5
574f031251f67bcc6ea9168364d2fbfd
-
SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb
-
SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
-
SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
wiruxa@airmail.cc
anygrishevich@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
TrustedInstaller.exeTrustedInstaller.exepid process 2092 TrustedInstaller.exe 4044 TrustedInstaller.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3084 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
TrustedInstaller.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run TrustedInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start" TrustedInstaller.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
TrustedInstaller.exedescription ioc process File opened (read-only) \??\Q: TrustedInstaller.exe File opened (read-only) \??\K: TrustedInstaller.exe File opened (read-only) \??\I: TrustedInstaller.exe File opened (read-only) \??\H: TrustedInstaller.exe File opened (read-only) \??\E: TrustedInstaller.exe File opened (read-only) \??\V: TrustedInstaller.exe File opened (read-only) \??\U: TrustedInstaller.exe File opened (read-only) \??\S: TrustedInstaller.exe File opened (read-only) \??\B: TrustedInstaller.exe File opened (read-only) \??\T: TrustedInstaller.exe File opened (read-only) \??\N: TrustedInstaller.exe File opened (read-only) \??\F: TrustedInstaller.exe File opened (read-only) \??\A: TrustedInstaller.exe File opened (read-only) \??\X: TrustedInstaller.exe File opened (read-only) \??\W: TrustedInstaller.exe File opened (read-only) \??\R: TrustedInstaller.exe File opened (read-only) \??\O: TrustedInstaller.exe File opened (read-only) \??\M: TrustedInstaller.exe File opened (read-only) \??\L: TrustedInstaller.exe File opened (read-only) \??\J: TrustedInstaller.exe File opened (read-only) \??\G: TrustedInstaller.exe File opened (read-only) \??\Z: TrustedInstaller.exe File opened (read-only) \??\Y: TrustedInstaller.exe File opened (read-only) \??\P: TrustedInstaller.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 geoiptool.com -
Drops file in Program Files directory 24137 IoCs
Processes:
TrustedInstaller.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Background2.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\ui-strings.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png.186-14C-97B TrustedInstaller.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File created C:\Program Files\Java\jdk1.8.0_66\db\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png.186-14C-97B TrustedInstaller.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\RibbonHit_A.wav TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforcomments_18.svg.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\ui-strings.js TrustedInstaller.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-400.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pl_16x11.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.conf.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\InvertColorEffectPS_BGRA.cso TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-400.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-white.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ui-strings.js.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.186-14C-97B TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\63.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-20_altform-unplated.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\businessbarclose_16x16x32.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg5_thumb.png TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\AppxSignature.p7x TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png TrustedInstaller.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4484 vssadmin.exe 3644 vssadmin.exe -
Processes:
TrustedInstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 TrustedInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e TrustedInstaller.exe -
Suspicious behavior: EnumeratesProcesses 7548 IoCs
Processes:
TrustedInstaller.exepid process 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe 2092 TrustedInstaller.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
TrustedInstaller.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 4768 TrustedInstaller.exe Token: SeDebugPrivilege 4768 TrustedInstaller.exe Token: SeIncreaseQuotaPrivilege 4600 WMIC.exe Token: SeSecurityPrivilege 4600 WMIC.exe Token: SeTakeOwnershipPrivilege 4600 WMIC.exe Token: SeLoadDriverPrivilege 4600 WMIC.exe Token: SeSystemProfilePrivilege 4600 WMIC.exe Token: SeSystemtimePrivilege 4600 WMIC.exe Token: SeProfSingleProcessPrivilege 4600 WMIC.exe Token: SeIncBasePriorityPrivilege 4600 WMIC.exe Token: SeCreatePagefilePrivilege 4600 WMIC.exe Token: SeBackupPrivilege 4600 WMIC.exe Token: SeRestorePrivilege 4600 WMIC.exe Token: SeShutdownPrivilege 4600 WMIC.exe Token: SeDebugPrivilege 4600 WMIC.exe Token: SeSystemEnvironmentPrivilege 4600 WMIC.exe Token: SeRemoteShutdownPrivilege 4600 WMIC.exe Token: SeUndockPrivilege 4600 WMIC.exe Token: SeManageVolumePrivilege 4600 WMIC.exe Token: 33 4600 WMIC.exe Token: 34 4600 WMIC.exe Token: 35 4600 WMIC.exe Token: 36 4600 WMIC.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: 36 1616 WMIC.exe Token: SeBackupPrivilege 2152 vssvc.exe Token: SeRestorePrivilege 2152 vssvc.exe Token: SeAuditPrivilege 2152 vssvc.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 4600 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
TrustedInstaller.exeTrustedInstaller.execmd.execmd.execmd.exedescription pid process target process PID 4768 wrote to memory of 2092 4768 TrustedInstaller.exe TrustedInstaller.exe PID 4768 wrote to memory of 2092 4768 TrustedInstaller.exe TrustedInstaller.exe PID 4768 wrote to memory of 2092 4768 TrustedInstaller.exe TrustedInstaller.exe PID 4768 wrote to memory of 3084 4768 TrustedInstaller.exe notepad.exe PID 4768 wrote to memory of 3084 4768 TrustedInstaller.exe notepad.exe PID 4768 wrote to memory of 3084 4768 TrustedInstaller.exe notepad.exe PID 4768 wrote to memory of 3084 4768 TrustedInstaller.exe notepad.exe PID 4768 wrote to memory of 3084 4768 TrustedInstaller.exe notepad.exe PID 4768 wrote to memory of 3084 4768 TrustedInstaller.exe notepad.exe PID 2092 wrote to memory of 1300 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1300 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1300 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1372 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1372 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1372 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1392 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1392 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1392 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1584 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1584 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1584 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1768 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1768 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 1768 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 4088 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 4088 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 4088 2092 TrustedInstaller.exe cmd.exe PID 2092 wrote to memory of 4044 2092 TrustedInstaller.exe TrustedInstaller.exe PID 2092 wrote to memory of 4044 2092 TrustedInstaller.exe TrustedInstaller.exe PID 2092 wrote to memory of 4044 2092 TrustedInstaller.exe TrustedInstaller.exe PID 1768 wrote to memory of 4484 1768 cmd.exe vssadmin.exe PID 1768 wrote to memory of 4484 1768 cmd.exe vssadmin.exe PID 1768 wrote to memory of 4484 1768 cmd.exe vssadmin.exe PID 4088 wrote to memory of 1616 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1616 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1616 4088 cmd.exe WMIC.exe PID 1300 wrote to memory of 4600 1300 cmd.exe WMIC.exe PID 1300 wrote to memory of 4600 1300 cmd.exe WMIC.exe PID 1300 wrote to memory of 4600 1300 cmd.exe WMIC.exe PID 4088 wrote to memory of 3644 4088 cmd.exe vssadmin.exe PID 4088 wrote to memory of 3644 4088 cmd.exe vssadmin.exe PID 4088 wrote to memory of 3644 4088 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
85934f14cc9248f76c58dc21180b4f15
SHA15ae41d9bea1cd413260de621f2302febd1e00323
SHA2560d0b47c2e46b455f2d5b2bc0893585790da8a86e36f4a45311bf0a579a5efe58
SHA5128496972fcf149a5df72b1a9aef3865c27fe0b9cba9e3af03b0a562c8b64a89d8834a3c18008d1610fab0741decadfdb1c14f9c1b9d1307bbb23a0b6a148b5e88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
4bddfe3851f7aa064be1b88af5e4516d
SHA12619398420a8e45f8f68c7c02ff2fd8c5ae3f18a
SHA2561427416bef65c2419a8fc224206c5131d6d7b391bc74faae87859640ce0fc3dc
SHA5121874f93cc946fe5a1f1852f0bb740247cb8835993d7cd217e1347af794b6f606c9ad9c1b6b0604c229296d170961c88d0b31824b9f854d326fe8b10557e84040
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a54e6020d8dade29e93e679d7d067676
SHA11ff53fa146566b3dc7a4dc43c91650a89b0bca5f
SHA2563762d5141f299aa6d5bb5197aa8459d1741a4602c875a14531b77ebc861c7bbb
SHA51287da29500b7ca80c15eea68253298c50073e2c643aae474b700ddd8117f7eac6bd53fc9a5358aa2bebe513e2041ca101337a13f21f0ef16450607ecc7f57b43d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
97a8e1cae869b8ac29230c492eea91ac
SHA10e5b9287473b03ad8572fd32e2920f3b5a132a68
SHA2566858ebdfe4bfbf413341819a084fe30cdcfb9e585c0341298d61f3232cc4e301
SHA512df8c4316fca3b128ab8300f75c34b57eeea380f042135a04fd371979a642e2bf9926bd53dd6df490cdb773faf1309dce8b585390fb51e53e661ce0e74f1da2b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
dce233405b27b5b41c202114bf2c3697
SHA10808537e8bc2fba4a69de7d8a055d40f4fa1f7e2
SHA2564a61a89734c0b6895ec05679932e9e3d3984b64e91fbdadf3c28f234d0b095ad
SHA51242aca8ca3ddf73cc3b9680b2a6c5c096c177038e256270ab6448934df749573a0aa7d0d98bf8bacf7a94e646cac8f676a61b59ac76030d636aa513bbda6e99c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f519687c88f855776a232bf71b6b9ac0
SHA1313300e3c980ac778276860f24419771c5e6b35d
SHA2564c35fadbbb5816490d0c23f1073a7c4b3f056941655a4b0450dd7991d51b6473
SHA5121af49e2a4beee405f6c74fa6643b29729ea6b4dc59fcae18e186b9fdcc51016bb9681e466be6b358f8a1b3e33e4223d2b33bab0a582fd52338ba3fb8cca0a594
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\P0VW6L9F.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\K8HNMTCO.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
memory/1300-15-0x0000000000000000-mapping.dmp
-
memory/1372-16-0x0000000000000000-mapping.dmp
-
memory/1392-17-0x0000000000000000-mapping.dmp
-
memory/1584-18-0x0000000000000000-mapping.dmp
-
memory/1616-25-0x0000000000000000-mapping.dmp
-
memory/1768-19-0x0000000000000000-mapping.dmp
-
memory/2092-2-0x0000000000000000-mapping.dmp
-
memory/3084-6-0x0000000000000000-mapping.dmp
-
memory/3084-5-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/3644-27-0x0000000000000000-mapping.dmp
-
memory/4044-21-0x0000000000000000-mapping.dmp
-
memory/4088-20-0x0000000000000000-mapping.dmp
-
memory/4484-23-0x0000000000000000-mapping.dmp
-
memory/4600-26-0x0000000000000000-mapping.dmp