Analysis
-
max time kernel
91s -
max time network
66s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-12-2020 08:30
Static task
static1
Behavioral task
behavioral1
Sample
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
Resource
win10v20201028
General
-
Target
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
-
Size
450KB
-
MD5
efc275dbc9e66fbbc84cfac31aeabfd0
-
SHA1
46458fe09b1d29198cb1c143d5f8d517850493f5
-
SHA256
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
-
SHA512
45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
Malware Config
Extracted
C:\!!! HOW TO BACK YOUR FILES !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2704 svchost.exe 2488 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe -
Drops file in Program Files directory 25700 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC svchost.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent@3x.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_background.jpg svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png svchost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-400.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\images\OfficeHubLogo_Splash.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ui-strings.js.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar.113-B5B-0D4 svchost.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png svchost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM svchost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-125.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\WideTile.scale-200.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-high.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\speechless.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sc_16x11.png svchost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-400.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-150.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js.113-B5B-0D4 svchost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-48_altform-unplated.png svchost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_32x32x32.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main.css svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.113-B5B-0D4 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml.113-B5B-0D4 svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1924 vssadmin.exe 3672 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: 36 904 WMIC.exe Token: SeIncreaseQuotaPrivilege 208 WMIC.exe Token: SeSecurityPrivilege 208 WMIC.exe Token: SeTakeOwnershipPrivilege 208 WMIC.exe Token: SeLoadDriverPrivilege 208 WMIC.exe Token: SeSystemProfilePrivilege 208 WMIC.exe Token: SeSystemtimePrivilege 208 WMIC.exe Token: SeProfSingleProcessPrivilege 208 WMIC.exe Token: SeIncBasePriorityPrivilege 208 WMIC.exe Token: SeCreatePagefilePrivilege 208 WMIC.exe Token: SeBackupPrivilege 208 WMIC.exe Token: SeRestorePrivilege 208 WMIC.exe Token: SeShutdownPrivilege 208 WMIC.exe Token: SeDebugPrivilege 208 WMIC.exe Token: SeSystemEnvironmentPrivilege 208 WMIC.exe Token: SeRemoteShutdownPrivilege 208 WMIC.exe Token: SeUndockPrivilege 208 WMIC.exe Token: SeManageVolumePrivilege 208 WMIC.exe Token: 33 208 WMIC.exe Token: 34 208 WMIC.exe Token: 35 208 WMIC.exe Token: 36 208 WMIC.exe Token: SeBackupPrivilege 196 vssvc.exe Token: SeRestorePrivilege 196 vssvc.exe Token: SeAuditPrivilege 196 vssvc.exe Token: SeIncreaseQuotaPrivilege 208 WMIC.exe Token: SeSecurityPrivilege 208 WMIC.exe Token: SeTakeOwnershipPrivilege 208 WMIC.exe Token: SeLoadDriverPrivilege 208 WMIC.exe Token: SeSystemProfilePrivilege 208 WMIC.exe Token: SeSystemtimePrivilege 208 WMIC.exe Token: SeProfSingleProcessPrivilege 208 WMIC.exe Token: SeIncBasePriorityPrivilege 208 WMIC.exe Token: SeCreatePagefilePrivilege 208 WMIC.exe Token: SeBackupPrivilege 208 WMIC.exe Token: SeRestorePrivilege 208 WMIC.exe Token: SeShutdownPrivilege 208 WMIC.exe Token: SeDebugPrivilege 208 WMIC.exe Token: SeSystemEnvironmentPrivilege 208 WMIC.exe Token: SeRemoteShutdownPrivilege 208 WMIC.exe Token: SeUndockPrivilege 208 WMIC.exe Token: SeManageVolumePrivilege 208 WMIC.exe Token: 33 208 WMIC.exe Token: 34 208 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1112 wrote to memory of 2704 1112 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe svchost.exe PID 1112 wrote to memory of 2704 1112 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe svchost.exe PID 1112 wrote to memory of 2704 1112 f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe svchost.exe PID 2704 wrote to memory of 2096 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 2096 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 2096 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 1876 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 1876 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 1876 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 1168 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 1168 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 1168 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 3628 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 3628 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 3628 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 3804 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 3804 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 3804 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 512 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 512 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 512 2704 svchost.exe cmd.exe PID 2704 wrote to memory of 2488 2704 svchost.exe svchost.exe PID 2704 wrote to memory of 2488 2704 svchost.exe svchost.exe PID 2704 wrote to memory of 2488 2704 svchost.exe svchost.exe PID 3804 wrote to memory of 1924 3804 cmd.exe vssadmin.exe PID 3804 wrote to memory of 1924 3804 cmd.exe vssadmin.exe PID 3804 wrote to memory of 1924 3804 cmd.exe vssadmin.exe PID 2096 wrote to memory of 904 2096 cmd.exe WMIC.exe PID 2096 wrote to memory of 904 2096 cmd.exe WMIC.exe PID 2096 wrote to memory of 904 2096 cmd.exe WMIC.exe PID 512 wrote to memory of 208 512 cmd.exe WMIC.exe PID 512 wrote to memory of 208 512 cmd.exe WMIC.exe PID 512 wrote to memory of 208 512 cmd.exe WMIC.exe PID 512 wrote to memory of 3672 512 cmd.exe vssadmin.exe PID 512 wrote to memory of 3672 512 cmd.exe vssadmin.exe PID 512 wrote to memory of 3672 512 cmd.exe vssadmin.exe PID 2704 wrote to memory of 2892 2704 svchost.exe notepad.exe PID 2704 wrote to memory of 2892 2704 svchost.exe notepad.exe PID 2704 wrote to memory of 2892 2704 svchost.exe notepad.exe PID 2704 wrote to memory of 2892 2704 svchost.exe notepad.exe PID 2704 wrote to memory of 2892 2704 svchost.exe notepad.exe PID 2704 wrote to memory of 2892 2704 svchost.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe"C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
49f30697c634c40272e3aa13c370279f
SHA1bd543555d20162a2afcfb3a0f85cde37b7faf0db
SHA256c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3
SHA512ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
efc275dbc9e66fbbc84cfac31aeabfd0
SHA146458fe09b1d29198cb1c143d5f8d517850493f5
SHA256f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA51245e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e
-
C:\Users\Admin\Desktop\AddReset.mov.113-B5B-0D4MD5
67e3b1da2fcf65af34329eaf261c31e4
SHA1928a0af3c7083dafc79816435394d9f8ace28773
SHA256b5bae3c4587c100fb9b96ec890e57eecfa81bc6768e43844eeae6b8488806d53
SHA5127465712ccb29289a92bdc4aede9fad16b82fe9dd3fc0c0c53aac5295017e860b9540d4c0acadda346410231361abeff3ac31ce8ea36d9f3ae010dbeabea8f37d
-
C:\Users\Admin\Desktop\ApproveNew.wmv.113-B5B-0D4MD5
3d0a6a29d49131930e70f9ca942cdcb9
SHA19231e6a849edeb3306d811e2b26f1c11c5d269ff
SHA256b6f2a1cca51a942651ce2182c42b820d723f563da7f394a32aa21a4880d9ad0e
SHA512a4568cc63e94ca039e89809204bdce71af0337efdf40a02779b11ce4561ada4d6eb5493e133e5bbf5266c03de2031e9b018e8ec503e448ab2857f9984306c310
-
C:\Users\Admin\Desktop\AssertImport.shtml.113-B5B-0D4MD5
859f75a3574cbdc60d824e9969d046c0
SHA16ec6ef0e52447d1ae77c0f5e15f6f7f78f5bda73
SHA256a692d8520a8f96d4f3cdeb5db898a34fff48101e3246f788daff095dedf919d1
SHA5122acbc3e5b1544992c0f09c0f64988dc43b745d0d5b3a23483da4ac9ed06e4561701680403899b72a1bd44ee524a2d9ebd58f71ef4e024e566298db29aa25a094
-
C:\Users\Admin\Desktop\ClearCompress.docm.113-B5B-0D4MD5
218966c36147ce36d7fe9f8ea11bc653
SHA1478eca382222666776e4e34be5dc215e762d0c93
SHA256819365c5892866f58a78647a85a8c4006fca140192fc9336e318367163882b4e
SHA5125457cb1d69aefb39a8b506f014ab4dfa2c9ae8685f99d51541569bf51dc99d28e2476fc05debacfe6e4700d5b71a560482c020d004c5df7e4816053f3a3373af
-
C:\Users\Admin\Desktop\ClearConfirm.gif.113-B5B-0D4MD5
2f86392190575d08d054f1e3aaec50ed
SHA1d01546f340e3efeffba65ade0d4ab1fa7b28654a
SHA25653feb45a0326f0475494823673f823720e0e96d65750d9558fcb16b85bae68a7
SHA51224dacf276b1bcd995ce2def2baa614d256a2e0109c9fa7cd180ef2fa064eb95a36f82a14f8e1b5165cf4fda88e9d8c73707cfd325129181af489b6c27b09e09b
-
C:\Users\Admin\Desktop\CloseResize.odt.113-B5B-0D4MD5
13a7c093c8f7dd08a57ff511986163b8
SHA11339573eedf84171801d90c5fcbfd3efdefb41af
SHA256121e0359596c35f235335e7ac3783ca2c7e40bf9917a249cfebef4f870adc17c
SHA512a1b3364d2bfb369f30b97566757bf2bd4d610c740bf94500900ed17b17f1362a03d2f3aabcc4a966a32306793f5528ee20cd1022a44a3fd6e445040dba8960b5
-
C:\Users\Admin\Desktop\CompletePing.ps1.113-B5B-0D4MD5
5db39e49dfacd4677f985820d50718b8
SHA13bd91dd52ab49dc0aed6cc2baa46edc60c51437f
SHA25648268dfea1b524db83daff67aaff07d7bdf49c13fa251033952ca909ada78078
SHA512a2149cfa528252a6cb86be609d97e85ea5659212af3dcd20011f51700a3dffd19d11970a3427f64ae9fea84912d38d47b1ce52b788e5741b8bbd9cbe1167063a
-
C:\Users\Admin\Desktop\CompleteRequest.3g2.113-B5B-0D4MD5
689c3f41965b2c91eab6218b8ba9d2ea
SHA1bf87e1d450d44931ee7a62c2af97ad27b3d918e4
SHA256876ef53963f61e1809b5c8fc7fefd9eefc8906aea92ef0a02bfc801456278264
SHA5125b8af48d2a13edd612ca51a26c4e83c6ce269de3373f09780dcf5d9b3a9f583988c73bc9c87cd06ebdac6a6d8a094d529fd1ad0453ec16deb0f17cea857d5534
-
C:\Users\Admin\Desktop\ConvertToConnect.MTS.113-B5B-0D4MD5
302c00490ce9a27e1144290c0c19b1fc
SHA1b06dd333398465a77aa175429398c42b9f219bd7
SHA25672204b83dc4a575ea37778d01b4ae669409c7ec54ee78f3a13dca9002ec8b111
SHA512bc90a6a1fac5d065bae294b6d3a692d29480582a2d1e097e0fee8ad542a0ddf0b3cfc58db814e3e766c6237c138df758869775c264ac12a4711c839b7534f67a
-
C:\Users\Admin\Desktop\DisconnectGet.ocx.113-B5B-0D4MD5
7171f7051f578b0eb482060d5de7f9ef
SHA1542030c99cbd169414a46d4bc8d5107ecc313031
SHA256d39ae5820349980face9603d850ca9a0c75147c99cffeb0ab9b5a40ef3ec8e4a
SHA51207729fde0ae2cbf6002909eb17e8d476f2a1da57311f337bf6e1b13a616d20d9ee2f5ef5bbca15585127caf72fde7e1800b20cc399ab802098a75fcf5cb974b0
-
C:\Users\Admin\Desktop\GroupWrite.mov.113-B5B-0D4MD5
2822a2b9dae64bed97d9508646f1f252
SHA1e1a6676733141cec3a9e48494dc5ee319d83fd9f
SHA256e4681e97d0533c1aa5a3e9d2deb12258630fffca5e75243dbfb18c75ac53ff6c
SHA5126f625ef36be556d23fe6b4e911a022713e472f7bd130779d8767075d56007b08e0053c2ed3df003ccf04eb10296cc600146e0c1462dc2bfef446507ece52684b
-
C:\Users\Admin\Desktop\InvokeMerge.mpeg.113-B5B-0D4MD5
0e9af9ee6fd7f05969b598cdf26f8d7f
SHA1c6f5212b5225c55c3d89d3016539caefbeef35fa
SHA2567fcbbf5438abebc8cb7271ef991c7d9d88d1835e7c596850868190092b8058c4
SHA512193bcbdb48ebaf6ab25865dba7ff4be2aadbd7811c0c31cb226ff4a4156c2d9205bf0d59fe15d4f86518627290238c91dbc6c7a131c2c169d7b29f4655453551
-
C:\Users\Admin\Desktop\LimitReceive.cab.113-B5B-0D4MD5
02eae1a5c694f0e46249698e58030968
SHA13a9980aa5934235ef364682230a7c951402c8696
SHA256f7b29d5091d6e43d53c815575e1f6868f29ed287479438cd853e9e586703a1c6
SHA512d90a949a3581c5efcef927fd14b79cf935b63a51f74dc5590d13e2a94e888c7559944b6bcaa086309dbe067e2c7f6919592b315f274e29eb957003417f35d798
-
C:\Users\Admin\Desktop\MergeUnblock.MTS.113-B5B-0D4MD5
c4b04f5c08a34ae5616770097da486c1
SHA159c4967358bda8f41c8dd50fa97be291e7741328
SHA256a6101e36e60b4963b0354e38411b9d11e3867a4aea5c635e69871f90c9713c7a
SHA5124edfaa247946d95389711f90550c4b3f989be8a79aab0c886ab8ded0a5a5b3f2de8fe9b1fe04c98fbc94136400601d03d4b9d663841463557932d623af47d1c0
-
C:\Users\Admin\Desktop\ReadConfirm.vssx.113-B5B-0D4MD5
1b3b289788cd841843a31546dd1ff4cc
SHA19335a35dfb672f9ce2bb8a54b63ef21de3c25018
SHA256000e0bd24ca0f5ae766e560107a4da8e708463b5f124dd8dbc2d4287a62f6033
SHA5123bb47ddeec668d0fc28befd0f01fbda66b76c5af1854553bd9ec6df10b1e8352e3a4133b58eae7a4d66568fafa059ce010e7ff3fb702941101abd3a73dcf60bf
-
C:\Users\Admin\Desktop\RegisterSubmit.3gp.113-B5B-0D4MD5
5598f60b5fee73b54a40e80e839caca6
SHA1e7676583e87a51aaed9480823e66bb47b4a8b16e
SHA2568087d9ed2d925f41b738e4ee6e75719b65c53dcc2696be72449ffa8cc3e8f2ed
SHA51210103b06333d2c2561001d44f8272ef71f25f89cadabffea15bd285ba288595ac8a25543f4fde55980be06adbe22b1a36835a9b293eab5f58615cf1c0db93fe2
-
C:\Users\Admin\Desktop\ResizeStart.mpv2.113-B5B-0D4MD5
d5d3e4ccc2729d5d44a9a2cbc3b8b9f6
SHA18f415bf3b54dfb702de0018dc5621790646b2c2a
SHA256aa077c695846a60aacd56d18efc00c27d0dae63cd0b46b03e2da3518956cf6a1
SHA512da381866a0d08557b795922275d9ce2f0a7948e93df132a0243a0c653d7c998ed7fedbca1891b8c014e356c0af1e712e1736f5b9163f6397a261f2a92b943295
-
C:\Users\Admin\Desktop\RestartShow.mp3.113-B5B-0D4MD5
4b293ad190f836a4af43674ecaa80e48
SHA1e345e59705c91fc38737f95ee5dcaa5a4cfe0758
SHA256e4a8fa7ef714178183e851f86e5e20dde20a30127a890abfbc73239878a8963a
SHA512f4513343478eb0dc0024117f4a746c5538a39c4d732f8bcf2c90afaecad47956e3bf0059aef31641ad830aaeb3d0b83af0973e504016cbb39489b4e429eb4462
-
C:\Users\Admin\Desktop\RestoreRevoke.asf.113-B5B-0D4MD5
e6c11f18cab8fb1fcd22578f24ee5794
SHA12af13e175429784ce437b80978f774bd84f0c6b2
SHA25699d6da8d821dbc81435caa275d96fa29bddf495c50a66e0665e8d57d2304fddc
SHA512f82e0f51a6e268b8478c6e6a9db38cfc1883cdd9af5564b9b0bb6b14a0235339d08d20206cd627a177f0169688faf0b08cd9030098af6a38169c863066579b84
-
C:\Users\Admin\Desktop\SelectDeny.html.113-B5B-0D4MD5
8cec0e3f228b02c81c2e33fbfc04d3fb
SHA1fc2378aca1997d0b96322c8391c58e32b703fd77
SHA2565bfc1e1785d4f4356724ec66d90ce7964eb9efa44cf871b0749eaa205e398685
SHA5124c6dd9286991f1d83cd9eb24b843b544f74a0f80bf339772898ad2dc8e34909629f154b0797acf81134ab0ef30a836d87a7b8e9c3365e51076e3d76b645e956e
-
C:\Users\Admin\Desktop\SetShow.clr.113-B5B-0D4MD5
c4b3f4d81a270bae9fcd8a49778dd4e1
SHA1a5aded11450f0230b48618ccabc31da108401408
SHA25676bbd7014ffcb77189abd9b55f41712de263ea4dead4c7d499ae3d47ddd05ac7
SHA512256467d981c49be2b58c0f30312cf6041bd4f62a9f3b45e4bd7f6d40fbc596924594e656fc4c565486832ae3813f817f1bbd49b24a8faee0ca3ebe263fa77b97
-
C:\Users\Admin\Desktop\SwitchProtect.dwfx.113-B5B-0D4MD5
5ceb1abd0c12f176b0bdd5910ad8c859
SHA164ef66aad577913f6375fdce7515b2e34f44e7f9
SHA2568fe1360938d787f76beb3d88a8156c50ce4a040700fdb618a36ba82bde2e07da
SHA5124964bd2223a03da8670e65c2359b398027a432800fe1eebc9863359d5d77139e9cc9433a47bbda58a86b7819484224c7a548cbd1cddb4561f50e6ef61ab88319
-
C:\Users\Admin\Desktop\TestPop.TS.113-B5B-0D4MD5
27f36d3c97284fac9b45690c644cbdaf
SHA1d06749ae2116391a0cff3a00f3e202296d692e6f
SHA256d661969b6ccd791a9a90c30f1052a0d68b3bc99b106d5a529eba73c2bfe3a7b1
SHA5126fb89a4c21564d60e206a480e9ffc5fad983ff119b9523fe1b159fe0465457ccb58e1313223078eeb0d78b4d4d76548d0b57b0818fc77ec2eb9bc8c9fdf2e967
-
C:\Users\Admin\Desktop\TestSubmit.rmi.113-B5B-0D4MD5
a9847bcfe8b437350330bd0c2a21338e
SHA14dbb342ece691bfe7f8b2c9fffa55b2dd87e2d30
SHA256611773bf5f095edfa42dafb839ec4feb4ed6c93ab0c9bce0ede3263327cc053c
SHA512eddc46f2935c3ee80dd79538877e080ca96e0612e85cb60e8eaa79dea7af23b42aba4873c2785bf52b576e1fa783e9302797ae6bf25bad38f9887b40e2e4faa4
-
C:\Users\Admin\Desktop\UndoInitialize.raw.113-B5B-0D4MD5
9c7ea46d5d9e9070add88d41cfca6f05
SHA11b4eeccb8c15e0de9919bfdeb7db83f4a52b2412
SHA256fc7adce262aaf985c2a2ea024eb64528b591cdb580792a281e3dd56405445665
SHA5128f355cc263e1e3f9765f8b07cb05499a49981733e375f76181c2311c6281557b0e432e9f4b82335a62c7c39f8a522264b82d61331097a788360527daccf6676b
-
C:\Users\Admin\Desktop\UnlockAdd.ogg.113-B5B-0D4MD5
190a4ff0303194756582da4334bf0c59
SHA1937edea79be629fea360c7cfdbd82d9524ddd73c
SHA256c3411ed725ae760ee32ce4d5f46624df14f0ed06cef134cf9e172bfeba3a1e63
SHA512644de955374a3c32668a73029174271a69aaed01a783d6a56ce7255264b07cd1385d64149b9c3a3d93530f98e14e843ed013dd5e404d7084b2b8e3ec8ee53b51
-
C:\Users\Admin\Desktop\UpdateClear.midi.113-B5B-0D4MD5
bd526caadd581a5cbcfa291c7cf228f1
SHA192cf8c2a3751c6ee3a2da2f44d9a4794dc69ef85
SHA2569908f4fa1581faf046aa88ab51f8fe81f07c4a002342e4be30f6013197eb8ffd
SHA512052161f166b58b14b6daf3c4869a9fa7a6d8a1570427ccca8217ea46bff3cca01af2e65258e01cc518d82015ab2b505f4235f6f9fecd0b5982ccd63855b15839
-
memory/208-16-0x0000000000000000-mapping.dmp
-
memory/512-10-0x0000000000000000-mapping.dmp
-
memory/904-14-0x0000000000000000-mapping.dmp
-
memory/1168-7-0x0000000000000000-mapping.dmp
-
memory/1876-6-0x0000000000000000-mapping.dmp
-
memory/1924-13-0x0000000000000000-mapping.dmp
-
memory/2096-5-0x0000000000000000-mapping.dmp
-
memory/2488-11-0x0000000000000000-mapping.dmp
-
memory/2704-2-0x0000000000000000-mapping.dmp
-
memory/2892-45-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/2892-46-0x0000000000000000-mapping.dmp
-
memory/3628-8-0x0000000000000000-mapping.dmp
-
memory/3672-17-0x0000000000000000-mapping.dmp
-
memory/3804-9-0x0000000000000000-mapping.dmp