Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-12-2020 14:46
Static task
static1
Behavioral task
behavioral1
Sample
202010121236.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
202010121236.scr
Resource
win10v20201028
General
-
Target
202010121236.scr
-
Size
449KB
-
MD5
574f031251f67bcc6ea9168364d2fbfd
-
SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb
-
SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
-
SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
wiruxa@airmail.cc
anygrishevich@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
smss.exesmss.exepid process 1568 smss.exe 2224 smss.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 4056 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
202010121236.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run 202010121236.scr Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" 202010121236.scr -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smss.exedescription ioc process File opened (read-only) \??\H: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\F: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\P: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 geoiptool.com -
Drops file in Program Files directory 23433 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\ConvertPS_NV12toBGRA.cso smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\SmallTile.scale-125.png smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-white.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\PREVIEW.GIF smss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xsl.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.scale-100.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-36.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag@2x.png smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\MusicStoreLogo.scale-200.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\paper_indiarough_512x512.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pr_60x42.png smss.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.19F-A38-1A7 smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\OneConnectMedTile.scale-100.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-100.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Maps.BackgroundTasks.winmd smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Arrow.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\PlayStore_icon.svg smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-actions.jar smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-180.png smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-48_altform-unplated_contrast-white.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\TrailMask.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40_altform-unplated.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\ui-strings.js smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.19F-A38-1A7 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\1033\getofficecarousel.dcp smss.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3824 vssadmin.exe 3808 vssadmin.exe -
Processes:
202010121236.scrdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 202010121236.scr Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 202010121236.scr -
Suspicious behavior: EnumeratesProcesses 7501 IoCs
Processes:
smss.exepid process 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe 1568 smss.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
202010121236.scrWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 3968 202010121236.scr Token: SeDebugPrivilege 3968 202010121236.scr Token: SeIncreaseQuotaPrivilege 4000 WMIC.exe Token: SeSecurityPrivilege 4000 WMIC.exe Token: SeTakeOwnershipPrivilege 4000 WMIC.exe Token: SeLoadDriverPrivilege 4000 WMIC.exe Token: SeSystemProfilePrivilege 4000 WMIC.exe Token: SeSystemtimePrivilege 4000 WMIC.exe Token: SeProfSingleProcessPrivilege 4000 WMIC.exe Token: SeIncBasePriorityPrivilege 4000 WMIC.exe Token: SeCreatePagefilePrivilege 4000 WMIC.exe Token: SeBackupPrivilege 4000 WMIC.exe Token: SeRestorePrivilege 4000 WMIC.exe Token: SeShutdownPrivilege 4000 WMIC.exe Token: SeDebugPrivilege 4000 WMIC.exe Token: SeSystemEnvironmentPrivilege 4000 WMIC.exe Token: SeRemoteShutdownPrivilege 4000 WMIC.exe Token: SeUndockPrivilege 4000 WMIC.exe Token: SeManageVolumePrivilege 4000 WMIC.exe Token: 33 4000 WMIC.exe Token: 34 4000 WMIC.exe Token: 35 4000 WMIC.exe Token: 36 4000 WMIC.exe Token: SeIncreaseQuotaPrivilege 3492 WMIC.exe Token: SeSecurityPrivilege 3492 WMIC.exe Token: SeTakeOwnershipPrivilege 3492 WMIC.exe Token: SeLoadDriverPrivilege 3492 WMIC.exe Token: SeSystemProfilePrivilege 3492 WMIC.exe Token: SeSystemtimePrivilege 3492 WMIC.exe Token: SeProfSingleProcessPrivilege 3492 WMIC.exe Token: SeIncBasePriorityPrivilege 3492 WMIC.exe Token: SeCreatePagefilePrivilege 3492 WMIC.exe Token: SeBackupPrivilege 3492 WMIC.exe Token: SeRestorePrivilege 3492 WMIC.exe Token: SeShutdownPrivilege 3492 WMIC.exe Token: SeDebugPrivilege 3492 WMIC.exe Token: SeSystemEnvironmentPrivilege 3492 WMIC.exe Token: SeRemoteShutdownPrivilege 3492 WMIC.exe Token: SeUndockPrivilege 3492 WMIC.exe Token: SeManageVolumePrivilege 3492 WMIC.exe Token: 33 3492 WMIC.exe Token: 34 3492 WMIC.exe Token: 35 3492 WMIC.exe Token: 36 3492 WMIC.exe Token: SeBackupPrivilege 1636 vssvc.exe Token: SeRestorePrivilege 1636 vssvc.exe Token: SeAuditPrivilege 1636 vssvc.exe Token: SeIncreaseQuotaPrivilege 4000 WMIC.exe Token: SeSecurityPrivilege 4000 WMIC.exe Token: SeTakeOwnershipPrivilege 4000 WMIC.exe Token: SeLoadDriverPrivilege 4000 WMIC.exe Token: SeSystemProfilePrivilege 4000 WMIC.exe Token: SeSystemtimePrivilege 4000 WMIC.exe Token: SeProfSingleProcessPrivilege 4000 WMIC.exe Token: SeIncBasePriorityPrivilege 4000 WMIC.exe Token: SeCreatePagefilePrivilege 4000 WMIC.exe Token: SeBackupPrivilege 4000 WMIC.exe Token: SeRestorePrivilege 4000 WMIC.exe Token: SeShutdownPrivilege 4000 WMIC.exe Token: SeDebugPrivilege 4000 WMIC.exe Token: SeSystemEnvironmentPrivilege 4000 WMIC.exe Token: SeRemoteShutdownPrivilege 4000 WMIC.exe Token: SeUndockPrivilege 4000 WMIC.exe Token: SeManageVolumePrivilege 4000 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
202010121236.scrsmss.execmd.execmd.execmd.exedescription pid process target process PID 3968 wrote to memory of 1568 3968 202010121236.scr smss.exe PID 3968 wrote to memory of 1568 3968 202010121236.scr smss.exe PID 3968 wrote to memory of 1568 3968 202010121236.scr smss.exe PID 3968 wrote to memory of 4056 3968 202010121236.scr notepad.exe PID 3968 wrote to memory of 4056 3968 202010121236.scr notepad.exe PID 3968 wrote to memory of 4056 3968 202010121236.scr notepad.exe PID 3968 wrote to memory of 4056 3968 202010121236.scr notepad.exe PID 3968 wrote to memory of 4056 3968 202010121236.scr notepad.exe PID 3968 wrote to memory of 4056 3968 202010121236.scr notepad.exe PID 1568 wrote to memory of 1164 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1164 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1164 1568 smss.exe cmd.exe PID 1568 wrote to memory of 800 1568 smss.exe cmd.exe PID 1568 wrote to memory of 800 1568 smss.exe cmd.exe PID 1568 wrote to memory of 800 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1892 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1892 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1892 1568 smss.exe cmd.exe PID 1568 wrote to memory of 2500 1568 smss.exe cmd.exe PID 1568 wrote to memory of 2500 1568 smss.exe cmd.exe PID 1568 wrote to memory of 2500 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1632 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1632 1568 smss.exe cmd.exe PID 1568 wrote to memory of 1632 1568 smss.exe cmd.exe PID 1568 wrote to memory of 3144 1568 smss.exe cmd.exe PID 1568 wrote to memory of 3144 1568 smss.exe cmd.exe PID 1568 wrote to memory of 3144 1568 smss.exe cmd.exe PID 1568 wrote to memory of 2224 1568 smss.exe smss.exe PID 1568 wrote to memory of 2224 1568 smss.exe smss.exe PID 1568 wrote to memory of 2224 1568 smss.exe smss.exe PID 1164 wrote to memory of 4000 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 4000 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 4000 1164 cmd.exe WMIC.exe PID 3144 wrote to memory of 3492 3144 cmd.exe WMIC.exe PID 3144 wrote to memory of 3492 3144 cmd.exe WMIC.exe PID 3144 wrote to memory of 3492 3144 cmd.exe WMIC.exe PID 1632 wrote to memory of 3808 1632 cmd.exe vssadmin.exe PID 1632 wrote to memory of 3808 1632 cmd.exe vssadmin.exe PID 1632 wrote to memory of 3808 1632 cmd.exe vssadmin.exe PID 3144 wrote to memory of 3824 3144 cmd.exe vssadmin.exe PID 3144 wrote to memory of 3824 3144 cmd.exe vssadmin.exe PID 3144 wrote to memory of 3824 3144 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\202010121236.scr"C:\Users\Admin\AppData\Local\Temp\202010121236.scr" /S1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
85934f14cc9248f76c58dc21180b4f15
SHA15ae41d9bea1cd413260de621f2302febd1e00323
SHA2560d0b47c2e46b455f2d5b2bc0893585790da8a86e36f4a45311bf0a579a5efe58
SHA5128496972fcf149a5df72b1a9aef3865c27fe0b9cba9e3af03b0a562c8b64a89d8834a3c18008d1610fab0741decadfdb1c14f9c1b9d1307bbb23a0b6a148b5e88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
4bddfe3851f7aa064be1b88af5e4516d
SHA12619398420a8e45f8f68c7c02ff2fd8c5ae3f18a
SHA2561427416bef65c2419a8fc224206c5131d6d7b391bc74faae87859640ce0fc3dc
SHA5121874f93cc946fe5a1f1852f0bb740247cb8835993d7cd217e1347af794b6f606c9ad9c1b6b0604c229296d170961c88d0b31824b9f854d326fe8b10557e84040
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a54e6020d8dade29e93e679d7d067676
SHA11ff53fa146566b3dc7a4dc43c91650a89b0bca5f
SHA2563762d5141f299aa6d5bb5197aa8459d1741a4602c875a14531b77ebc861c7bbb
SHA51287da29500b7ca80c15eea68253298c50073e2c643aae474b700ddd8117f7eac6bd53fc9a5358aa2bebe513e2041ca101337a13f21f0ef16450607ecc7f57b43d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
536fabec01b5468297439924797a08b2
SHA1f82ad6cbfbe57f62154202914fb01c746a9026e2
SHA25692722fab94aba4e2c962c8def95eca9ca800b595de3364cc6a5c1714075933c6
SHA512a227b5bcb573770f9550f5bb368d988dd41669a54dfe0dcba536b69b7e5b66e5edf0a56e35cd8a58edff205e2cf56703e6444b58c1a870ab7dc34d422082c72b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
51472043ba6da4db45fe610a693bdc7a
SHA19eda4cf22579b576bc33a8c62dc8d819df2cdc07
SHA2566709f446d868fb3dc980b61356c3b2235c56bca73276bad7f0e20bc156f92d15
SHA5123dd35f945d87bd15e7b11ce3de92a55befa2e552a9a94260c1c966cc07232088781840ae776fd22096aef2af5a5227c261fd6eb6e1775202452297e42349cd7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
202132b0da2d66b2656487e81cae2bee
SHA19fc18cb7e5a9727bc2660f169853e3cd678cb381
SHA2567a59d551a42f353a88fce6c4f39dd293771f48e626d0763e5881a3b2df7cfb0b
SHA51202bd3a7eadc3d412658c5b438900c72b2daef6d40fdf18bd70eb44c163753b623e1fe826250d8798f21dcab5ecc9f40a2caa32c9e803d0475f02446966d6b839
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\6QJH1LJA.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\36ZXXHIX.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
memory/800-16-0x0000000000000000-mapping.dmp
-
memory/1164-15-0x0000000000000000-mapping.dmp
-
memory/1568-2-0x0000000000000000-mapping.dmp
-
memory/1632-19-0x0000000000000000-mapping.dmp
-
memory/1892-17-0x0000000000000000-mapping.dmp
-
memory/2224-21-0x0000000000000000-mapping.dmp
-
memory/2500-18-0x0000000000000000-mapping.dmp
-
memory/3144-20-0x0000000000000000-mapping.dmp
-
memory/3492-25-0x0000000000000000-mapping.dmp
-
memory/3808-26-0x0000000000000000-mapping.dmp
-
memory/3824-27-0x0000000000000000-mapping.dmp
-
memory/4000-23-0x0000000000000000-mapping.dmp
-
memory/4056-4-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB
-
memory/4056-6-0x0000000000000000-mapping.dmp