Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-12-2020 23:45
Static task
static1
Behavioral task
behavioral1
Sample
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Resource
win10v20201028
General
-
Target
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
-
Size
449KB
-
MD5
574f031251f67bcc6ea9168364d2fbfd
-
SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb
-
SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
-
SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
wiruxa@airmail.cc
anygrishevich@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 3608 lsass.exe 2456 lsass.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2328 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\E: lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 geoiptool.com -
Drops file in Program Files directory 19780 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerLargeTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_32x32x32.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-100.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-250.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-100.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\CherryBlossoms.jpg lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_LTR_Tablet.mp4 lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.contrast-high_scale-100.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Double Wave_icon.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-100.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js lsass.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Leaves.jpg lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-100.png lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.CEE-272-8B3 lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Quality.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cn_60x42.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\SmallFreecellTile.jpg lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\TriPeaks\ResPacks\tripeaksgameplay.respack lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256_altform-unplated.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_40x40x32.png lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\LargeTile.scale-100.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\endGame_blue_down.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1849_20x20x32.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js.CEE-272-8B3 lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1128 vssadmin.exe 3932 vssadmin.exe -
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe -
Suspicious behavior: EnumeratesProcesses 7548 IoCs
Processes:
lsass.exepid process 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe 3608 lsass.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Token: SeDebugPrivilege 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Token: SeIncreaseQuotaPrivilege 2032 WMIC.exe Token: SeSecurityPrivilege 2032 WMIC.exe Token: SeTakeOwnershipPrivilege 2032 WMIC.exe Token: SeLoadDriverPrivilege 2032 WMIC.exe Token: SeSystemProfilePrivilege 2032 WMIC.exe Token: SeSystemtimePrivilege 2032 WMIC.exe Token: SeProfSingleProcessPrivilege 2032 WMIC.exe Token: SeIncBasePriorityPrivilege 2032 WMIC.exe Token: SeCreatePagefilePrivilege 2032 WMIC.exe Token: SeBackupPrivilege 2032 WMIC.exe Token: SeRestorePrivilege 2032 WMIC.exe Token: SeShutdownPrivilege 2032 WMIC.exe Token: SeDebugPrivilege 2032 WMIC.exe Token: SeSystemEnvironmentPrivilege 2032 WMIC.exe Token: SeRemoteShutdownPrivilege 2032 WMIC.exe Token: SeUndockPrivilege 2032 WMIC.exe Token: SeManageVolumePrivilege 2032 WMIC.exe Token: 33 2032 WMIC.exe Token: 34 2032 WMIC.exe Token: 35 2032 WMIC.exe Token: 36 2032 WMIC.exe Token: SeIncreaseQuotaPrivilege 744 WMIC.exe Token: SeSecurityPrivilege 744 WMIC.exe Token: SeTakeOwnershipPrivilege 744 WMIC.exe Token: SeLoadDriverPrivilege 744 WMIC.exe Token: SeSystemProfilePrivilege 744 WMIC.exe Token: SeSystemtimePrivilege 744 WMIC.exe Token: SeProfSingleProcessPrivilege 744 WMIC.exe Token: SeIncBasePriorityPrivilege 744 WMIC.exe Token: SeCreatePagefilePrivilege 744 WMIC.exe Token: SeBackupPrivilege 744 WMIC.exe Token: SeRestorePrivilege 744 WMIC.exe Token: SeShutdownPrivilege 744 WMIC.exe Token: SeDebugPrivilege 744 WMIC.exe Token: SeSystemEnvironmentPrivilege 744 WMIC.exe Token: SeRemoteShutdownPrivilege 744 WMIC.exe Token: SeUndockPrivilege 744 WMIC.exe Token: SeManageVolumePrivilege 744 WMIC.exe Token: 33 744 WMIC.exe Token: 34 744 WMIC.exe Token: 35 744 WMIC.exe Token: 36 744 WMIC.exe Token: SeBackupPrivilege 2176 vssvc.exe Token: SeRestorePrivilege 2176 vssvc.exe Token: SeAuditPrivilege 2176 vssvc.exe Token: SeIncreaseQuotaPrivilege 2032 WMIC.exe Token: SeSecurityPrivilege 2032 WMIC.exe Token: SeTakeOwnershipPrivilege 2032 WMIC.exe Token: SeLoadDriverPrivilege 2032 WMIC.exe Token: SeSystemProfilePrivilege 2032 WMIC.exe Token: SeSystemtimePrivilege 2032 WMIC.exe Token: SeProfSingleProcessPrivilege 2032 WMIC.exe Token: SeIncBasePriorityPrivilege 2032 WMIC.exe Token: SeCreatePagefilePrivilege 2032 WMIC.exe Token: SeBackupPrivilege 2032 WMIC.exe Token: SeRestorePrivilege 2032 WMIC.exe Token: SeShutdownPrivilege 2032 WMIC.exe Token: SeDebugPrivilege 2032 WMIC.exe Token: SeSystemEnvironmentPrivilege 2032 WMIC.exe Token: SeRemoteShutdownPrivilege 2032 WMIC.exe Token: SeUndockPrivilege 2032 WMIC.exe Token: SeManageVolumePrivilege 2032 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exelsass.execmd.execmd.execmd.exedescription pid process target process PID 2604 wrote to memory of 3608 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe lsass.exe PID 2604 wrote to memory of 3608 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe lsass.exe PID 2604 wrote to memory of 3608 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe lsass.exe PID 2604 wrote to memory of 2328 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 2604 wrote to memory of 2328 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 2604 wrote to memory of 2328 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 2604 wrote to memory of 2328 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 2604 wrote to memory of 2328 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 2604 wrote to memory of 2328 2604 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 3608 wrote to memory of 2156 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 2156 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 2156 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 3908 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 3908 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 3908 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 4040 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 4040 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 4040 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 1040 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 1040 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 1040 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 1564 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 1564 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 1564 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 2680 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 2680 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 2680 3608 lsass.exe cmd.exe PID 3608 wrote to memory of 2456 3608 lsass.exe lsass.exe PID 3608 wrote to memory of 2456 3608 lsass.exe lsass.exe PID 3608 wrote to memory of 2456 3608 lsass.exe lsass.exe PID 1564 wrote to memory of 1128 1564 cmd.exe vssadmin.exe PID 1564 wrote to memory of 1128 1564 cmd.exe vssadmin.exe PID 1564 wrote to memory of 1128 1564 cmd.exe vssadmin.exe PID 2156 wrote to memory of 2032 2156 cmd.exe WMIC.exe PID 2156 wrote to memory of 2032 2156 cmd.exe WMIC.exe PID 2156 wrote to memory of 2032 2156 cmd.exe WMIC.exe PID 2680 wrote to memory of 744 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 744 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 744 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 3932 2680 cmd.exe vssadmin.exe PID 2680 wrote to memory of 3932 2680 cmd.exe vssadmin.exe PID 2680 wrote to memory of 3932 2680 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe"C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
b36da5c81e37e66335b100fe541c1668
SHA181b166b7d5c9801ca146d1ef5b95aac47c952112
SHA256996dbe67869eabac1e506abdc5b12c933eb5c735778481c9894c7a9ae9bd1d49
SHA512c551487a3b6f952a7328abd2449934427209dc537a0c0429335facb7faa103fc5a8788197ab6f48830e184d953cbd0e9e99b4787e3565f52c9fd50759ff0abaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
a39a754e0b0ba7e439a962153cc63feb
SHA1b4d9a16bce5017a94196a68d87de254f0795922b
SHA256bcd4f320f4b3cf23708d4f373d4eb0208c453dbaffa9f5b402ab73f127528c6e
SHA5128c206e9fc85c7a05b4eaa34269c5af83bf016c043d881472b9f90ecf83c781892c450d1593d36bdcc080c552748e2fe61c439769ca93ccdc5a2453b74a2175b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c8f6d84e4c36d9393622a1af12a9a848
SHA11df0282b790a4a641c0f256a842141d5666a3f30
SHA256c7b9816df943aee5e1923deaaa2abef8881da46a27fec381e0b92ac30f810ebb
SHA512a835f48c7468366ebee56d2387493c5d789a695d895ad9c0f010cdd7ca96ed33269266a2ca4264a45021644d811853eab371520377bcdf404f70ab3b9ed6f9d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
f0caafd7759ab9d808a54559a6bee942
SHA15af7b08c037c4a199fb180043e87589b836b0080
SHA256967db85b59d6e62048ea582f0618dcf4fcd5da5c5898f10e57c3b9dc476a1a68
SHA512a3d25e7a563c8272d56ea91f8a40eb151e31d80be56533426ec29544935cc036e01c84bff22c991ac22ef80af185373af12de5f99b566894f149da1049bcdf68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
731c7e2c32ea0df6526cffef2f114c8a
SHA1dd04e081c9e208ed5001666aed5e97a3dd2105ee
SHA25621a8b06358f5d0e6220155a3bf5fb4e8f6049b08922218787a71693874c4be70
SHA512ee56585ca7bb5741c6aaf6f481609b7fa3211649dd70071356d1b9c89a8b6d532511a3b635fbb8155d5206e92932da63dcff07d6c066be927397c4b48f4e412d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
5d2dddf999ed522879df7d8a00809d95
SHA1ee686cef48d2b28b4ec790a11618736c225b9c91
SHA2565f2b57c81e1c5b818843f5ba55aa9444fcdec96d45192c65941559ee8cdf35de
SHA5129a11208781f61e555db02315cc2bffce9a7c766b70eb48e1de9c1efa7ca89e1f3bdb4d2ea8622afaba198f3e04d2695cb3c79d560d5123908d23935c05ca2389
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\5B101CTT.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\6Y8NUVKR.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
memory/744-26-0x0000000000000000-mapping.dmp
-
memory/1040-18-0x0000000000000000-mapping.dmp
-
memory/1128-24-0x0000000000000000-mapping.dmp
-
memory/1564-19-0x0000000000000000-mapping.dmp
-
memory/2032-25-0x0000000000000000-mapping.dmp
-
memory/2156-15-0x0000000000000000-mapping.dmp
-
memory/2328-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/2328-6-0x0000000000000000-mapping.dmp
-
memory/2456-21-0x0000000000000000-mapping.dmp
-
memory/2680-20-0x0000000000000000-mapping.dmp
-
memory/3608-2-0x0000000000000000-mapping.dmp
-
memory/3908-16-0x0000000000000000-mapping.dmp
-
memory/3932-27-0x0000000000000000-mapping.dmp
-
memory/4040-17-0x0000000000000000-mapping.dmp