Analysis
-
max time kernel
79s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-12-2020 08:30
Static task
static1
Behavioral task
behavioral1
Sample
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
Resource
win10v20201028
General
-
Target
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
-
Size
450KB
-
MD5
efc275dbc9e66fbbc84cfac31aeabfd0
-
SHA1
46458fe09b1d29198cb1c143d5f8d517850493f5
-
SHA256
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
-
SHA512
45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
Malware Config
Extracted
C:\!!! HOW TO BACK YOUR FILES !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
TrustedInstaller.exeTrustedInstaller.exepid process 1636 TrustedInstaller.exe 828 TrustedInstaller.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
TrustedInstaller.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CheckpointExport.tiff TrustedInstaller.exe File opened for modification C:\Users\Admin\Pictures\SplitComplete.tiff TrustedInstaller.exe -
Loads dropped DLL 1 IoCs
Processes:
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exepid process 884 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start" f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
TrustedInstaller.exedescription ioc process File opened (read-only) \??\W: TrustedInstaller.exe File opened (read-only) \??\S: TrustedInstaller.exe File opened (read-only) \??\Q: TrustedInstaller.exe File opened (read-only) \??\F: TrustedInstaller.exe File opened (read-only) \??\O: TrustedInstaller.exe File opened (read-only) \??\L: TrustedInstaller.exe File opened (read-only) \??\H: TrustedInstaller.exe File opened (read-only) \??\M: TrustedInstaller.exe File opened (read-only) \??\K: TrustedInstaller.exe File opened (read-only) \??\J: TrustedInstaller.exe File opened (read-only) \??\Z: TrustedInstaller.exe File opened (read-only) \??\V: TrustedInstaller.exe File opened (read-only) \??\U: TrustedInstaller.exe File opened (read-only) \??\T: TrustedInstaller.exe File opened (read-only) \??\P: TrustedInstaller.exe File opened (read-only) \??\I: TrustedInstaller.exe File opened (read-only) \??\G: TrustedInstaller.exe File opened (read-only) \??\E: TrustedInstaller.exe File opened (read-only) \??\A: TrustedInstaller.exe File opened (read-only) \??\Y: TrustedInstaller.exe File opened (read-only) \??\X: TrustedInstaller.exe File opened (read-only) \??\R: TrustedInstaller.exe File opened (read-only) \??\N: TrustedInstaller.exe File opened (read-only) \??\B: TrustedInstaller.exe -
Drops file in Program Files directory 15290 IoCs
Processes:
TrustedInstaller.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql70.xsl TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF TrustedInstaller.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Menominee TrustedInstaller.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF TrustedInstaller.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Matamoros.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252669.WMF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_ON.GIF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar TrustedInstaller.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FRENCH.LNG TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157831.WMF TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC.1B9-E69-EAA TrustedInstaller.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\!!! HOW TO BACK YOUR FILES !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196164.WMF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL TrustedInstaller.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152610.WMF.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00943_.WMF TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC.1B9-E69-EAA TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.1B9-E69-EAA TrustedInstaller.exe -
Drops file in Windows directory 1 IoCs
Processes:
TrustedInstaller.exedescription ioc process File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT TrustedInstaller.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1152 vssadmin.exe 1264 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1056 WMIC.exe Token: SeSecurityPrivilege 1056 WMIC.exe Token: SeTakeOwnershipPrivilege 1056 WMIC.exe Token: SeLoadDriverPrivilege 1056 WMIC.exe Token: SeSystemProfilePrivilege 1056 WMIC.exe Token: SeSystemtimePrivilege 1056 WMIC.exe Token: SeProfSingleProcessPrivilege 1056 WMIC.exe Token: SeIncBasePriorityPrivilege 1056 WMIC.exe Token: SeCreatePagefilePrivilege 1056 WMIC.exe Token: SeBackupPrivilege 1056 WMIC.exe Token: SeRestorePrivilege 1056 WMIC.exe Token: SeShutdownPrivilege 1056 WMIC.exe Token: SeDebugPrivilege 1056 WMIC.exe Token: SeSystemEnvironmentPrivilege 1056 WMIC.exe Token: SeRemoteShutdownPrivilege 1056 WMIC.exe Token: SeUndockPrivilege 1056 WMIC.exe Token: SeManageVolumePrivilege 1056 WMIC.exe Token: SeIncreaseQuotaPrivilege 528 WMIC.exe Token: 33 1056 WMIC.exe Token: 34 1056 WMIC.exe Token: SeSecurityPrivilege 528 WMIC.exe Token: 35 1056 WMIC.exe Token: SeTakeOwnershipPrivilege 528 WMIC.exe Token: SeLoadDriverPrivilege 528 WMIC.exe Token: SeSystemProfilePrivilege 528 WMIC.exe Token: SeSystemtimePrivilege 528 WMIC.exe Token: SeProfSingleProcessPrivilege 528 WMIC.exe Token: SeIncBasePriorityPrivilege 528 WMIC.exe Token: SeCreatePagefilePrivilege 528 WMIC.exe Token: SeBackupPrivilege 528 WMIC.exe Token: SeRestorePrivilege 528 WMIC.exe Token: SeShutdownPrivilege 528 WMIC.exe Token: SeDebugPrivilege 528 WMIC.exe Token: SeSystemEnvironmentPrivilege 528 WMIC.exe Token: SeRemoteShutdownPrivilege 528 WMIC.exe Token: SeUndockPrivilege 528 WMIC.exe Token: SeManageVolumePrivilege 528 WMIC.exe Token: 33 528 WMIC.exe Token: 34 528 WMIC.exe Token: 35 528 WMIC.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe Token: SeIncreaseQuotaPrivilege 1056 WMIC.exe Token: SeIncreaseQuotaPrivilege 528 WMIC.exe Token: SeSecurityPrivilege 528 WMIC.exe Token: SeSecurityPrivilege 1056 WMIC.exe Token: SeTakeOwnershipPrivilege 528 WMIC.exe Token: SeTakeOwnershipPrivilege 1056 WMIC.exe Token: SeLoadDriverPrivilege 1056 WMIC.exe Token: SeSystemProfilePrivilege 1056 WMIC.exe Token: SeSystemtimePrivilege 1056 WMIC.exe Token: SeLoadDriverPrivilege 528 WMIC.exe Token: SeProfSingleProcessPrivilege 1056 WMIC.exe Token: SeSystemProfilePrivilege 528 WMIC.exe Token: SeIncBasePriorityPrivilege 1056 WMIC.exe Token: SeSystemtimePrivilege 528 WMIC.exe Token: SeCreatePagefilePrivilege 1056 WMIC.exe Token: SeProfSingleProcessPrivilege 528 WMIC.exe Token: SeBackupPrivilege 1056 WMIC.exe Token: SeIncBasePriorityPrivilege 528 WMIC.exe Token: SeRestorePrivilege 1056 WMIC.exe Token: SeCreatePagefilePrivilege 528 WMIC.exe Token: SeShutdownPrivilege 1056 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exeTrustedInstaller.execmd.execmd.execmd.exedescription pid process target process PID 884 wrote to memory of 1636 884 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe TrustedInstaller.exe PID 884 wrote to memory of 1636 884 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe TrustedInstaller.exe PID 884 wrote to memory of 1636 884 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe TrustedInstaller.exe PID 884 wrote to memory of 1636 884 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe TrustedInstaller.exe PID 1636 wrote to memory of 2044 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 2044 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 2044 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 2044 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1288 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1288 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1288 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1288 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1284 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1284 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1284 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1284 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1260 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1260 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1260 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1260 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1488 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1488 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1488 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1488 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1600 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1600 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1600 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 1600 1636 TrustedInstaller.exe cmd.exe PID 1636 wrote to memory of 828 1636 TrustedInstaller.exe TrustedInstaller.exe PID 1636 wrote to memory of 828 1636 TrustedInstaller.exe TrustedInstaller.exe PID 1636 wrote to memory of 828 1636 TrustedInstaller.exe TrustedInstaller.exe PID 1636 wrote to memory of 828 1636 TrustedInstaller.exe TrustedInstaller.exe PID 2044 wrote to memory of 528 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 528 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 528 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 528 2044 cmd.exe WMIC.exe PID 1488 wrote to memory of 1152 1488 cmd.exe vssadmin.exe PID 1488 wrote to memory of 1152 1488 cmd.exe vssadmin.exe PID 1488 wrote to memory of 1152 1488 cmd.exe vssadmin.exe PID 1488 wrote to memory of 1152 1488 cmd.exe vssadmin.exe PID 1600 wrote to memory of 1056 1600 cmd.exe WMIC.exe PID 1600 wrote to memory of 1056 1600 cmd.exe WMIC.exe PID 1600 wrote to memory of 1056 1600 cmd.exe WMIC.exe PID 1600 wrote to memory of 1056 1600 cmd.exe WMIC.exe PID 1600 wrote to memory of 1264 1600 cmd.exe vssadmin.exe PID 1600 wrote to memory of 1264 1600 cmd.exe vssadmin.exe PID 1600 wrote to memory of 1264 1600 cmd.exe vssadmin.exe PID 1600 wrote to memory of 1264 1600 cmd.exe vssadmin.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe PID 1636 wrote to memory of 644 1636 TrustedInstaller.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe"C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
49f30697c634c40272e3aa13c370279f
SHA1bd543555d20162a2afcfb3a0f85cde37b7faf0db
SHA256c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3
SHA512ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
C:\Users\Admin\Desktop\AssertExpand.wm.1B9-E69-EAAMD5
38f278bc617730ff211303badb88ead9
SHA142ab906c951404116c2f9113cd1e5d44316eddda
SHA25662f1d3afc5be44ed3380bc1fb2a48cc3a178d8c0acb337e2a136d05dc17af7cf
SHA512bb934b6c2ec8c430fd8b60f7d96c45876a4f80e239a67cf8cab3f05d24021e3cbe57e3b9a607b3776998902ec85d82b7c66207c187681dc3345679e2c457abc8
-
C:\Users\Admin\Desktop\BlockRequest.dxf.1B9-E69-EAAMD5
138d5b3a3498b27dd9447a2d58612b93
SHA18346d314fea719f37ed97e2993bd561c9d1e80a8
SHA2564ad0e384b44600a31637083ba9fa4cef93a644092ec04d4272db3cb70f4526ba
SHA5120d1ad0196c095641975dccee3c4327f06feb22c5eb06c28b43c653bb83d7dff20d5e2a67cf55989c1ea6310813b065c5dbaefc92b65d376ac2fa87281a4851c2
-
C:\Users\Admin\Desktop\BlockStart.mht.1B9-E69-EAAMD5
0547d0396c3f72c1e54b0164baae7ef5
SHA1723c5d9f931402d399bd7f3bd4bdcff0c2face0a
SHA256ab1686949fe2c82acd5394178ae44fe0af34b650d9308a306c72ebca4239f2f9
SHA512d17b548ceda6b8bb038e0f0499343294c6d0854ff0579f71bbf66b00a73c1f45952143ac442f46eceff6b6d3441937c92e9ef3197b00fb7e24dee050380d231d
-
C:\Users\Admin\Desktop\CloseOptimize.AAC.1B9-E69-EAAMD5
0029a0404e6f9ff0b0ee9b54f55e7c87
SHA1fca0d4d838dcc710faeb448878abdd776d9e6ae3
SHA2566971ce74aa39ecba40211c2a1d4dd4874a465190db7ce98e8ad3297b3ff31a76
SHA5126b908c110d399f1c14e305481d6d7b4b1ddb2e7d0000f59d33b98a1571dea8ec3e17e1e64e0494ad2edb39253f9aa8314c01e40c2b54f82f303e6bf342b62a54
-
C:\Users\Admin\Desktop\CompressTrace.jpg.1B9-E69-EAAMD5
6787e4498a11c945d094ee0a5fb52219
SHA1501e7473a084fffdf0cbe6c779f1e42359c7f569
SHA256d763adc0acf6c06ee27ab15362ea242ac739c21eea7ddfb5db934e7839f5908e
SHA51286170d66f36d039f62b207fc3fda2f550d30bd28aaae64261bcce7d03c55a6634b59eba2d0810c928159f8790218918fb606bf126e71a2d953499892d9318efa
-
C:\Users\Admin\Desktop\ConvertFromResume.potx.1B9-E69-EAAMD5
9bf70856ec4f3390647d209e26c8dd72
SHA19367462770ae0ddbbc041c7f475cbf5fa3798160
SHA256f3773ddd9b2821880755fd9adf965e9cbb6880d9ae924561539906ef8ee0c9a9
SHA512e88c9e48e41ca12e720e62be307a4a722e39b5bf7fc01541d9f0fef3edff503940a2defc4e68f2816dfc95d78daadb09160a889e5a9ed5b82c30a340296583f8
-
C:\Users\Admin\Desktop\DisableUndo.cab.1B9-E69-EAAMD5
2808a5c9b50cb41c7b0c7dd1ef52e8ec
SHA10e6e1c08d4b02dc1acc7dfa69fc71f9a5b601bcc
SHA2562668e95de4d8278af28933186c199a03ee33d3a2acd26fcf0abc3cc2a505885c
SHA512f80d47a4ff8cf61335c6019a6d705f313a98f60de997cdd6e5bc36cf609537c1eec4fc50fc946e12f427a2f35c1a676b09abb4cdb4b96a5e51beb559a21a4a78
-
C:\Users\Admin\Desktop\DismountSend.ppsx.1B9-E69-EAAMD5
df32b192daf9c950997a4a8bcee5af08
SHA19189514ab29758cb0a3c2f61a9f6bd9e6c97e4aa
SHA2563921adf493ceeb5339d976d32c271639942891a1e1cc76c24fdabb99235dc4a8
SHA512767c178be62cd62321357a6851f77e845f3a64607bff98f3e86a3cb5ea5b9d2428dff1720e025bef9b18f6e23025e152a3693054368f9215a9091aa03467ae6d
-
C:\Users\Admin\Desktop\EnableCheckpoint.asx.1B9-E69-EAAMD5
bb300bf8576847ef672603070eac1c95
SHA1139cd628a882812330cd011b669442e043129392
SHA2560d821cd2d4520f20b8bcc01cb4f240213a4de049fbfb3df54e1d13d1fd1cf712
SHA5125d818a914644df5c0cea3032de9a2a0a9eedad1484cd53807a8949fe4521c897e252714072313eb43b45cf02b299f0856e208ce5cf8ee71c35141563c5b93003
-
C:\Users\Admin\Desktop\ExpandSubmit.MOD.1B9-E69-EAAMD5
6976da2acb1802c2a53f73142c877945
SHA1a372b970430ef9b5b28b767d7719cf82dccb12be
SHA256857869aecaf0220b89930c61822ee80e4099004bb3902a379c1eb9e587c91196
SHA512348e891a283eb6d46293f4b3f5ca5b8adc9f555b92190490ca690ae6986edebc8c1176e8474061d88553745c167f46fb7a6ce4cda52eda27fbd4ab9105c7b1ff
-
C:\Users\Admin\Desktop\ExportApprove.i64.1B9-E69-EAAMD5
544ee402b1b60869cc0fe9b1a494e5ef
SHA1c9685786fc071b965272b573769b7f2215b251ea
SHA256261421cd6845ec47effd6ef17dcbb0e0bdf3118fedd6481bc326ba544b2404c5
SHA512f8f6e4d174fd3bdd217524ad0602b4e64ecd44a32c81302c7305f219955e292d4dbddfd8fde9e2a459fb7b309b4a297e6161a380fb0e387846cf8279d24a4348
-
C:\Users\Admin\Desktop\ExportUnblock.odt.1B9-E69-EAAMD5
53c5c36999386c6c2ebb309be699d806
SHA18c5800da08aa8a50f587c9377ca15b0163b81e01
SHA2563b626cfea5c2322396cf20db380e3790b300ec992933d068ca35889740cfeeae
SHA5120bff3236c53c5d1713f815b372c324fe214357527df1420127be55cc01f537148e2774bcd11993c3fd5571a1817b2265fa530af1632111c8f51c06e31375fe9c
-
C:\Users\Admin\Desktop\GetAssert.sql.1B9-E69-EAAMD5
81827a916c0a71ceef2649a33c886155
SHA16f279611e05a251e92a91d019af19b1d5b8b64f5
SHA256ff7e0a2c5ae942b8bee2d973b30ef2fdbc04afdb1dde03f92eb8b637edca1bbd
SHA512adadaa7cbcb0f3988d5e37467a1e7abb58e0c30ca79a7c0780a32cfa5c97eb162503625c812c79a3049cc8cd661a8544f7231a2de17c33b3dd319d4096a17d09
-
C:\Users\Admin\Desktop\GroupProtect.3gp.1B9-E69-EAAMD5
733c3ebd0ab1199ff7a985625c2ac36e
SHA13e5db21e4ad65bceca5f09a116298fb8116cc73b
SHA256ab111ea3e0a203a38e33677c97a448e56c7a84cd8585c45a67e89b00b2849e26
SHA512ed5f6f4daa3e2a948a81532f065be398e1533213f375c9149cdfc3490cefdc28527aa8b24c1375a581226ad2d43350242efd8dc2b5157738f3aae4855b01ae09
-
C:\Users\Admin\Desktop\InvokeApprove.mp4.1B9-E69-EAAMD5
463fc51037411a1ca4997140d157b109
SHA1efdf6b9003b82824c3b878d209752a6dbf42de34
SHA2560ca8393b61b50481f4be8797a0523449f899ddc57644a9eff3610161d2816c16
SHA5123ee329c48ceb6c93bfe09100d33ca84453a29f98cb785a06455e54fb8d0658613271fec85f9a70bdded2a36b9c5aee2d614dedf9ebd269825584d3a85d8c688b
-
C:\Users\Admin\Desktop\MoveResolve.aiff.1B9-E69-EAAMD5
f144004d4b85b6a1ee53fc2a2a2aa1f6
SHA1074f4f32a33cb5947c18c88cbaf286e9980c5fe6
SHA2561b34a18debf27b3f43db73409fd58a6792ef25f22207fe6d4382635db32c4851
SHA5123930943524fabf3bea1f4ef875b24ab7a1d5f5c689942e5beec4b55b08f7103a58fcda51cd3a5cd3e1a518c322008c5f3eb0219c311a8d1d2531c93c4016cfe9
-
C:\Users\Admin\Desktop\NewAdd.js.1B9-E69-EAAMD5
94aa11c83ca8e91597faf4d5945673fb
SHA129e91ccdd273b2c5b638a5ec2322c3f9a957098d
SHA2564c2c36284057714b8b4432a61c7ec6751469a58f0da18e308a551478ce804eaf
SHA5120b755b2c7cdd311e9294f1d832b1a6b8b688c83d10a5257128e3256582b58daed8b31d9626ab9eeea4bf6aa0e56c2c57922ef7f42acab6c79b8811d0e0255762
-
C:\Users\Admin\Desktop\PublishSync.potm.1B9-E69-EAAMD5
7de0a0d6288dda5e7d93e4292924a332
SHA1a761cce618f079313dbb109b6068346576dafd99
SHA2569f2edad26a5bcc01e0bf3da309374a133afa3fcf33f2c7fce9e416d5a048f588
SHA51282f7f3ab2c9a446a330f3780034e6100a9e486a78e9f4366acfbd34eaf1acf4223d45b7f4aec7e57d6c794e2c3485eee9962f8ae1b776bbce7f4e0660d755486
-
C:\Users\Admin\Desktop\PushUnpublish.mp4v.1B9-E69-EAAMD5
0d0ca0051520a9a62b605e3cfe1f62e3
SHA1f4f31371c21d21b7395f3e91ce6ee04cf7f15880
SHA25654d74c657e0e58dc00aafa4dcc76b58a7d7bdb1881fbd33359b97d34c0d37404
SHA5124bef390dd24b8f7a62446db39b7b3538c61b9a1ac505c209cf470467135332f8c882784cf402a419c2db8f50b34f3233f1b2116c4dd330b2e3fd051bcbabb638
-
C:\Users\Admin\Desktop\ResetPublish.AAC.1B9-E69-EAAMD5
e261909d7486187c9d1e4aa481bd7486
SHA11e07fe6d8fe8b2f52ea5b657f99969f4ce9afeba
SHA256cbc199a6bc9a6def682e9b54691eef568f79991d2450f242c6fe8d108e46b5e9
SHA5128b370c3708f7ee477c523c948698b9cc0f2c44cd797ea025b0d67a411360ca98bb04484476dad67c8a1603776041958ad463c54fe4d0e78267db6624ac7b3cff
-
C:\Users\Admin\Desktop\ResolveCompress.odt.1B9-E69-EAAMD5
bc2866ab3f0ebc63b6a5a6d21bf60b7d
SHA1843648cf2744e9198ac07ea36a6b003c7d12027c
SHA256d76774fc819e7721505bf343eaea9b66b44c8a941ba1f4aede0702c9df468500
SHA512ef776e2b1fd0d5f807aaa0bacbd915921d13aaaf4ee84a91fb1987d3cfdc17a2eab5367877290529832d9d8cad929d780aec7db5170bba69d613498828d690a8
-
C:\Users\Admin\Desktop\ResumeCompare.temp.1B9-E69-EAAMD5
2857e4329f32ed6dfa6f6ebc813b9d96
SHA1e9b277a4a4f96c12a9fafd8905eb08eafbd7e1fa
SHA2563e5dc1503fa67240238e1f61be7bdc5c0eedbf50589d306caaee30f02e133abf
SHA512f2cc91d19db608812e6f1e7bfde1e904b37dbe7b79062765f7c5fbcd4f4cc2a0376b97d6e0133a1f83f5f6de4ac46f618bcf6a1e952544b36374f42fd0843092
-
C:\Users\Admin\Desktop\SelectWrite.css.1B9-E69-EAAMD5
7d01e6697154fb51551bb2439f2ca60a
SHA113473d9cfe4868ac036f0e4d5d88865c8c7e21b6
SHA256fedc6ffba7f2e52b1bfd440da7d4196e7cbab2d2ce44b70cd031ecb46440fa05
SHA5121d84961adc477b222cc4bb005a08a9c65f2df431e5ce1aee583d6d31a59a80977554c4c1954ff9db1818cca74813f10b2869dec57258d58a6618fea697f298b3
-
C:\Users\Admin\Desktop\SwitchUnprotect.shtml.1B9-E69-EAAMD5
70584124596e340695681800b564eb06
SHA187fa3bc4d50394d5df0e532dd37b91b8e20cb9c4
SHA256f100ddb243cdb9aa0b8f2451bb6fbac1d98b7e7ba3796580d02978b356fbc5da
SHA51237aab9747e3db6485b4ccf9b5fb822a1a3a9176f316312c0e13e89a173d5e37a2d0186b827f5043efce84682ede65e557544b220b18b9c5d1660c7f843454d3f
-
C:\Users\Admin\Desktop\UnpublishRevoke.pub.1B9-E69-EAAMD5
d854d8b24e559d3cfbfc71223a7b1e5e
SHA1ce1d45c256cf1b2a0c88658ce99aa8390797286e
SHA2563a4b7f0b02b2a9cef565b0e4ed10389260ebaf21564c49c58255bb0e24f9619a
SHA512df6fe0759f2bc2ba0fbeb2d5a984cbc2fc1b8f495641adc877635f447d1ed3c067e6b29acc434886b6759bc76d41ffb6876846e6738eace18f1fb5120ab81f27
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
memory/528-14-0x0000000000000000-mapping.dmp
-
memory/644-44-0x0000000000000000-mapping.dmp
-
memory/644-43-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/828-11-0x0000000000000000-mapping.dmp
-
memory/1056-16-0x0000000000000000-mapping.dmp
-
memory/1152-15-0x0000000000000000-mapping.dmp
-
memory/1260-8-0x0000000000000000-mapping.dmp
-
memory/1264-17-0x0000000000000000-mapping.dmp
-
memory/1284-7-0x0000000000000000-mapping.dmp
-
memory/1288-6-0x0000000000000000-mapping.dmp
-
memory/1488-9-0x0000000000000000-mapping.dmp
-
memory/1600-10-0x0000000000000000-mapping.dmp
-
memory/1636-3-0x0000000000000000-mapping.dmp
-
memory/2044-5-0x0000000000000000-mapping.dmp