Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:06
Static task
static1
Behavioral task
behavioral1
Sample
b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
Resource
win10v20201028
General
-
Target
b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
-
Size
325KB
-
MD5
b56a1f8a3ba9c5eb1a3b1a6aca398676
-
SHA1
345a633366ec3dab7813924773377afc005cc5fc
-
SHA256
812e862c4c470d4728a408b64d1cff9dca2f302f2742ff5ec99aeb896870bc6e
-
SHA512
ee9f751e332d9cf2cc8cc42a3cc9e7b2e6671358623c9e5a00a45a9f3a86e648aa7e13a43001d69a516ea78579c98fe6f102d42b930199872134d17efa6e32e4
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
chKlkcHb.exespoolsv.exespoolsv.exepid process 2476 chKlkcHb.exe 3860 spoolsv.exe 1728 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chKlkcHb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run chKlkcHb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start" chKlkcHb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
spoolsv.exedescription ioc process File opened (read-only) \??\W: spoolsv.exe File opened (read-only) \??\P: spoolsv.exe File opened (read-only) \??\J: spoolsv.exe File opened (read-only) \??\F: spoolsv.exe File opened (read-only) \??\E: spoolsv.exe File opened (read-only) \??\B: spoolsv.exe File opened (read-only) \??\Y: spoolsv.exe File opened (read-only) \??\V: spoolsv.exe File opened (read-only) \??\R: spoolsv.exe File opened (read-only) \??\N: spoolsv.exe File opened (read-only) \??\H: spoolsv.exe File opened (read-only) \??\G: spoolsv.exe File opened (read-only) \??\A: spoolsv.exe File opened (read-only) \??\U: spoolsv.exe File opened (read-only) \??\T: spoolsv.exe File opened (read-only) \??\O: spoolsv.exe File opened (read-only) \??\M: spoolsv.exe File opened (read-only) \??\L: spoolsv.exe File opened (read-only) \??\Z: spoolsv.exe File opened (read-only) \??\X: spoolsv.exe File opened (read-only) \??\S: spoolsv.exe File opened (read-only) \??\Q: spoolsv.exe File opened (read-only) \??\K: spoolsv.exe File opened (read-only) \??\I: spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 geoiptool.com -
Drops file in Program Files directory 19543 IoCs
Processes:
spoolsv.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.scale-200.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg2.jpg spoolsv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe spoolsv.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_de.properties spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\MediumBlue.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\196.png spoolsv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX spoolsv.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml spoolsv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gh_60x42.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml spoolsv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-300.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif spoolsv.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar spoolsv.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-125.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\vu_16x11.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-200.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-100.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-36.png spoolsv.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon_3.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\cardback.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96_altform-unplated.png spoolsv.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyDrop32x32.gif.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_36x36x32.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\LargeTile.scale-100.png spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png spoolsv.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nl_16x11.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.10B-6CF-235 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms spoolsv.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3492 vssadmin.exe 3176 vssadmin.exe -
Processes:
chKlkcHb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 chKlkcHb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e chKlkcHb.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
chKlkcHb.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2476 chKlkcHb.exe Token: SeDebugPrivilege 2476 chKlkcHb.exe Token: SeIncreaseQuotaPrivilege 3912 WMIC.exe Token: SeSecurityPrivilege 3912 WMIC.exe Token: SeTakeOwnershipPrivilege 3912 WMIC.exe Token: SeLoadDriverPrivilege 3912 WMIC.exe Token: SeSystemProfilePrivilege 3912 WMIC.exe Token: SeSystemtimePrivilege 3912 WMIC.exe Token: SeProfSingleProcessPrivilege 3912 WMIC.exe Token: SeIncBasePriorityPrivilege 3912 WMIC.exe Token: SeCreatePagefilePrivilege 3912 WMIC.exe Token: SeBackupPrivilege 3912 WMIC.exe Token: SeRestorePrivilege 3912 WMIC.exe Token: SeShutdownPrivilege 3912 WMIC.exe Token: SeDebugPrivilege 3912 WMIC.exe Token: SeSystemEnvironmentPrivilege 3912 WMIC.exe Token: SeRemoteShutdownPrivilege 3912 WMIC.exe Token: SeUndockPrivilege 3912 WMIC.exe Token: SeManageVolumePrivilege 3912 WMIC.exe Token: 33 3912 WMIC.exe Token: 34 3912 WMIC.exe Token: 35 3912 WMIC.exe Token: 36 3912 WMIC.exe Token: SeBackupPrivilege 1448 vssvc.exe Token: SeRestorePrivilege 1448 vssvc.exe Token: SeAuditPrivilege 1448 vssvc.exe Token: SeIncreaseQuotaPrivilege 3912 WMIC.exe Token: SeSecurityPrivilege 3912 WMIC.exe Token: SeTakeOwnershipPrivilege 3912 WMIC.exe Token: SeLoadDriverPrivilege 3912 WMIC.exe Token: SeSystemProfilePrivilege 3912 WMIC.exe Token: SeSystemtimePrivilege 3912 WMIC.exe Token: SeProfSingleProcessPrivilege 3912 WMIC.exe Token: SeIncBasePriorityPrivilege 3912 WMIC.exe Token: SeCreatePagefilePrivilege 3912 WMIC.exe Token: SeBackupPrivilege 3912 WMIC.exe Token: SeRestorePrivilege 3912 WMIC.exe Token: SeShutdownPrivilege 3912 WMIC.exe Token: SeDebugPrivilege 3912 WMIC.exe Token: SeSystemEnvironmentPrivilege 3912 WMIC.exe Token: SeRemoteShutdownPrivilege 3912 WMIC.exe Token: SeUndockPrivilege 3912 WMIC.exe Token: SeManageVolumePrivilege 3912 WMIC.exe Token: 33 3912 WMIC.exe Token: 34 3912 WMIC.exe Token: 35 3912 WMIC.exe Token: 36 3912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1288 WMIC.exe Token: SeSecurityPrivilege 1288 WMIC.exe Token: SeTakeOwnershipPrivilege 1288 WMIC.exe Token: SeLoadDriverPrivilege 1288 WMIC.exe Token: SeSystemProfilePrivilege 1288 WMIC.exe Token: SeSystemtimePrivilege 1288 WMIC.exe Token: SeProfSingleProcessPrivilege 1288 WMIC.exe Token: SeIncBasePriorityPrivilege 1288 WMIC.exe Token: SeCreatePagefilePrivilege 1288 WMIC.exe Token: SeBackupPrivilege 1288 WMIC.exe Token: SeRestorePrivilege 1288 WMIC.exe Token: SeShutdownPrivilege 1288 WMIC.exe Token: SeDebugPrivilege 1288 WMIC.exe Token: SeSystemEnvironmentPrivilege 1288 WMIC.exe Token: SeRemoteShutdownPrivilege 1288 WMIC.exe Token: SeUndockPrivilege 1288 WMIC.exe Token: SeManageVolumePrivilege 1288 WMIC.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
b56a1f8a3ba9c5eb1a3b1a6aca398676.exechKlkcHb.exespoolsv.execmd.execmd.execmd.exedescription pid process target process PID 3988 wrote to memory of 2476 3988 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe chKlkcHb.exe PID 3988 wrote to memory of 2476 3988 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe chKlkcHb.exe PID 3988 wrote to memory of 2476 3988 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe chKlkcHb.exe PID 2476 wrote to memory of 3860 2476 chKlkcHb.exe spoolsv.exe PID 2476 wrote to memory of 3860 2476 chKlkcHb.exe spoolsv.exe PID 2476 wrote to memory of 3860 2476 chKlkcHb.exe spoolsv.exe PID 2476 wrote to memory of 4000 2476 chKlkcHb.exe notepad.exe PID 2476 wrote to memory of 4000 2476 chKlkcHb.exe notepad.exe PID 2476 wrote to memory of 4000 2476 chKlkcHb.exe notepad.exe PID 2476 wrote to memory of 4000 2476 chKlkcHb.exe notepad.exe PID 2476 wrote to memory of 4000 2476 chKlkcHb.exe notepad.exe PID 2476 wrote to memory of 4000 2476 chKlkcHb.exe notepad.exe PID 3860 wrote to memory of 1804 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1804 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1804 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2788 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2788 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2788 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2516 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2516 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2516 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1676 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1676 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1676 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2124 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2124 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 2124 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1324 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1324 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1324 3860 spoolsv.exe cmd.exe PID 3860 wrote to memory of 1728 3860 spoolsv.exe spoolsv.exe PID 3860 wrote to memory of 1728 3860 spoolsv.exe spoolsv.exe PID 3860 wrote to memory of 1728 3860 spoolsv.exe spoolsv.exe PID 2124 wrote to memory of 3492 2124 cmd.exe vssadmin.exe PID 2124 wrote to memory of 3492 2124 cmd.exe vssadmin.exe PID 2124 wrote to memory of 3492 2124 cmd.exe vssadmin.exe PID 1804 wrote to memory of 3912 1804 cmd.exe WMIC.exe PID 1804 wrote to memory of 3912 1804 cmd.exe WMIC.exe PID 1804 wrote to memory of 3912 1804 cmd.exe WMIC.exe PID 1324 wrote to memory of 1288 1324 cmd.exe WMIC.exe PID 1324 wrote to memory of 1288 1324 cmd.exe WMIC.exe PID 1324 wrote to memory of 1288 1324 cmd.exe WMIC.exe PID 1324 wrote to memory of 3176 1324 cmd.exe vssadmin.exe PID 1324 wrote to memory of 3176 1324 cmd.exe vssadmin.exe PID 1324 wrote to memory of 3176 1324 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b56a1f8a3ba9c5eb1a3b1a6aca398676.exe"C:\Users\Admin\AppData\Local\Temp\b56a1f8a3ba9c5eb1a3b1a6aca398676.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chKlkcHb.exe"C:\Users\Admin\AppData\Local\Temp\chKlkcHb.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 04⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
b70dc0d32e75295574887a1eb8e8824d
SHA11c7aadf97657f25a66e2b26ffce20fae35a81b71
SHA2569ba2afab5c73c6c8fef834f724b2b729553020c44495b12f87e5779d94354cd9
SHA5124396416ab54ea4c5f50c3b9fa6c0679bb9ec3a5549ba0d729ef54266404a6ebbffdca86da989b17b6357f9bce3fcc0b8f43727d56adae84beac48e1fc7740dc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
ee6f44b70b1b952cca185c9c42455e50
SHA1304e0d9730b1e2c36d42b12ff8ebb8ce12d2557b
SHA256e61cbb508cf8bd896994b1feea6912f2d4319d6a382d9554ee43c9e44d76443c
SHA512f0c69c3d063cc4aeb65467cb06b6a9a2f1fb56b9ca7419f3ad83a61725ab71ab7a0b0964eef422d11fb47bff7573ad18a5f6f004db7ddab829cb5b49c0897297
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a79f29048b133ca17588ca54c6519db9
SHA145854963cb24a79f8b582fd13c6916d9bacf60b4
SHA256164f85824da0142ecb22e5f6903e6b0628dc50c9425aac6a4819b9dd340a565d
SHA5129da9eed3123c84d81fa784ec38c7b975ca8be47037d5d137d1d9124c2a35cb3f067cffd083e449fe5ce2547d9c31fa36409b9fe312a95b20d0dbc8c9c4ed8034
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
d0dc3586389120a968696cce242cc00f
SHA156eed62d2040aa19723f0ea147c09c2a9924a2ae
SHA2561e8443a60dd3a0efba884f6e76641822d073d5557174e5e15b0b21b7dec4bc6e
SHA512595c3fb542a4d657e29136432bde9fc7431a6158fdf360fabf292f1801e2356dff2306946553e7bd75f54cde5ae6c86c84cad03ac91c23cec92dfc7e2205ee0d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
1e4c2148d7c3bf9be2bb0fde437b9bcb
SHA159fc9690054a6e36f5e97eefe4f383c820ad1951
SHA2565abd296e5ec8d8128fad97d84caad7c7ea2ede5afa3bcdd3924b35716e7962ad
SHA5129d32a5f78a10c9347b7176ab86c543a1e4f36bd85867e82ddbbcf154b596f924eb04a2989bae10a51c7e1d2a526a5edccf53551cf7f60b24e3d3c8eb161c618c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3293fa35259d1633c60d7ef8c998b299
SHA18881b4c423f487d9313e47f11392e065e7106402
SHA2564c1ef8c86d1202e5bb007b1f1110a360f22abaaaa24fd1207495b778bdcd79a0
SHA512ed4d362957a340e10595a590b5d311230182865f9b7faee8d02d3928b119a986079bd8a8354e69caf6bb3a7247dc91269b34be6884620b55828585c0e7f5cb8c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\W12O05Q7.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\LYP77TUZ.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\chKlkcHb.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Local\Temp\chKlkcHb.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
memory/1288-29-0x0000000000000000-mapping.dmp
-
memory/1324-23-0x0000000000000000-mapping.dmp
-
memory/1676-21-0x0000000000000000-mapping.dmp
-
memory/1728-24-0x0000000000000000-mapping.dmp
-
memory/1804-18-0x0000000000000000-mapping.dmp
-
memory/2124-22-0x0000000000000000-mapping.dmp
-
memory/2476-2-0x0000000000000000-mapping.dmp
-
memory/2516-20-0x0000000000000000-mapping.dmp
-
memory/2788-19-0x0000000000000000-mapping.dmp
-
memory/3176-30-0x0000000000000000-mapping.dmp
-
memory/3492-26-0x0000000000000000-mapping.dmp
-
memory/3860-5-0x0000000000000000-mapping.dmp
-
memory/3912-28-0x0000000000000000-mapping.dmp
-
memory/4000-7-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/4000-9-0x0000000000000000-mapping.dmp