buran | 513c4fe0de5b8df83d8d99ce55f0c474600699591a4185fdb0b4ee5e9c718924

Analysis

max time kernel
150s
max time network
130s
platform
windows10_x64
resource
win10v20201028
submitted
16-12-2020 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Size

449KB
MD5

574f031251f67bcc6ea9168364d2fbfd
SHA1

f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512

d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: yongloun@tutanota.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: wiruxa@airmail.cc Reserved email: anygrishevich@yandex.ru Your personal ID: CEE-272-8B3 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

wiruxa@airmail.cc

anygrishevich@yandex.ru

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid process

3608 lsass.exe
2456 lsass.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2328 notepad.exe

pid	process
2328	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 geoiptool.com

flow	ioc
22	geoiptool.com

Drops file in Program Files directory 19780 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerLargeTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_32x32x32.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-250.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\CherryBlossoms.jpg	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_LTR_Tablet.mp4	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.contrast-high_scale-100.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Double Wave_icon.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js	lsass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Leaves.jpg	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.CEE-272-8B3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Quality.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cn_60x42.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\SmallFreecellTile.jpg	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\TriPeaks\ResPacks\tripeaksgameplay.respack	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_40x40x32.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\LargeTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\endGame_blue_down.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1849_20x20x32.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js.CEE-272-8B3	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1128 vssadmin.exe
3932 vssadmin.exe

pid	process
1128	vssadmin.exe
3932	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

Suspicious behavior: EnumeratesProcesses 7548 IoCs

Processes:

lsass.exe

pid	process
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe
3608	lsass.exe

Suspicious use of AdjustPrivilegeToken 89 IoCs

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Token: SeDebugPrivilege	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe
Token: 33	2032	WMIC.exe
Token: 34	2032	WMIC.exe
Token: 35	2032	WMIC.exe
Token: 36	2032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exelsass.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2604 wrote to memory of 3608	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	lsass.exe
PID 2604 wrote to memory of 3608	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	lsass.exe
PID 2604 wrote to memory of 3608	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	lsass.exe
PID 2604 wrote to memory of 2328	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 2604 wrote to memory of 2328	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 2604 wrote to memory of 2328	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 2604 wrote to memory of 2328	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 2604 wrote to memory of 2328	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 2604 wrote to memory of 2328	2604	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 3608 wrote to memory of 2156	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 2156	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 2156	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 3908	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 3908	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 3908	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 4040	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 4040	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 4040	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 1040	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 1040	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 1040	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 1564	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 1564	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 1564	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 2680	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 2680	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 2680	3608	lsass.exe	cmd.exe
PID 3608 wrote to memory of 2456	3608	lsass.exe	lsass.exe
PID 3608 wrote to memory of 2456	3608	lsass.exe	lsass.exe
PID 3608 wrote to memory of 2456	3608	lsass.exe	lsass.exe
PID 1564 wrote to memory of 1128	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 1128	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 1128	1564	cmd.exe	vssadmin.exe
PID 2156 wrote to memory of 2032	2156	cmd.exe	WMIC.exe
PID 2156 wrote to memory of 2032	2156	cmd.exe	WMIC.exe
PID 2156 wrote to memory of 2032	2156	cmd.exe	WMIC.exe
PID 2680 wrote to memory of 744	2680	cmd.exe	WMIC.exe
PID 2680 wrote to memory of 744	2680	cmd.exe	WMIC.exe
PID 2680 wrote to memory of 744	2680	cmd.exe	WMIC.exe
PID 2680 wrote to memory of 3932	2680	cmd.exe	vssadmin.exe
PID 2680 wrote to memory of 3932	2680	cmd.exe	vssadmin.exe
PID 2680 wrote to memory of 3932	2680	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
"C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1040

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1128

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:2328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
b36da5c81e37e66335b100fe541c1668

SHA1
81b166b7d5c9801ca146d1ef5b95aac47c952112

SHA256
996dbe67869eabac1e506abdc5b12c933eb5c735778481c9894c7a9ae9bd1d49

SHA512
c551487a3b6f952a7328abd2449934427209dc537a0c0429335facb7faa103fc5a8788197ab6f48830e184d953cbd0e9e99b4787e3565f52c9fd50759ff0abaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
a39a754e0b0ba7e439a962153cc63feb

SHA1
b4d9a16bce5017a94196a68d87de254f0795922b

SHA256
bcd4f320f4b3cf23708d4f373d4eb0208c453dbaffa9f5b402ab73f127528c6e

SHA512
8c206e9fc85c7a05b4eaa34269c5af83bf016c043d881472b9f90ecf83c781892c450d1593d36bdcc080c552748e2fe61c439769ca93ccdc5a2453b74a2175b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c8f6d84e4c36d9393622a1af12a9a848

SHA1
1df0282b790a4a641c0f256a842141d5666a3f30

SHA256
c7b9816df943aee5e1923deaaa2abef8881da46a27fec381e0b92ac30f810ebb

SHA512
a835f48c7468366ebee56d2387493c5d789a695d895ad9c0f010cdd7ca96ed33269266a2ca4264a45021644d811853eab371520377bcdf404f70ab3b9ed6f9d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
f0caafd7759ab9d808a54559a6bee942

SHA1
5af7b08c037c4a199fb180043e87589b836b0080

SHA256
967db85b59d6e62048ea582f0618dcf4fcd5da5c5898f10e57c3b9dc476a1a68

SHA512
a3d25e7a563c8272d56ea91f8a40eb151e31d80be56533426ec29544935cc036e01c84bff22c991ac22ef80af185373af12de5f99b566894f149da1049bcdf68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
731c7e2c32ea0df6526cffef2f114c8a

SHA1
dd04e081c9e208ed5001666aed5e97a3dd2105ee

SHA256
21a8b06358f5d0e6220155a3bf5fb4e8f6049b08922218787a71693874c4be70

SHA512
ee56585ca7bb5741c6aaf6f481609b7fa3211649dd70071356d1b9c89a8b6d532511a3b635fbb8155d5206e92932da63dcff07d6c066be927397c4b48f4e412d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
5d2dddf999ed522879df7d8a00809d95

SHA1
ee686cef48d2b28b4ec790a11618736c225b9c91

SHA256
5f2b57c81e1c5b818843f5ba55aa9444fcdec96d45192c65941559ee8cdf35de

SHA512
9a11208781f61e555db02315cc2bffce9a7c766b70eb48e1de9c1efa7ca89e1f3bdb4d2ea8622afaba198f3e04d2695cb3c79d560d5123908d23935c05ca2389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\5B101CTT.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\6Y8NUVKR.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
memory/744-26-0x0000000000000000-mapping.dmp

Download
memory/1040-18-0x0000000000000000-mapping.dmp

Download
memory/1128-24-0x0000000000000000-mapping.dmp

Download
memory/1564-19-0x0000000000000000-mapping.dmp

Download
memory/2032-25-0x0000000000000000-mapping.dmp

Download
memory/2156-15-0x0000000000000000-mapping.dmp

Download
memory/2328-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/2328-6-0x0000000000000000-mapping.dmp

Download
memory/2456-21-0x0000000000000000-mapping.dmp

Download
memory/2680-20-0x0000000000000000-mapping.dmp

Download
memory/3608-2-0x0000000000000000-mapping.dmp

Download
memory/3908-16-0x0000000000000000-mapping.dmp

Download
memory/3932-27-0x0000000000000000-mapping.dmp

Download
memory/4040-17-0x0000000000000000-mapping.dmp

Download