buran | eba3e153c13f618ceef6c2cc58f67d19b008adb87d4ea0ae9861a63072b8738d

Analysis

max time kernel
91s
max time network
66s
platform
windows10_x64
resource
win10v20201028
submitted
17-12-2020 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
Size

450KB
MD5

efc275dbc9e66fbbc84cfac31aeabfd0
SHA1

46458fe09b1d29198cb1c143d5f8d517850493f5
SHA256

f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5
SHA512

45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: China.Helper@aol.com ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 113-B5B-0D4 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2704 svchost.exe
2488 svchost.exe

pid	process
2704	svchost.exe
2488	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe

Drops file in Program Files directory 25700 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\!!! HOW TO BACK YOUR FILES !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent@3x.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_background.jpg	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-400.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\images\OfficeHubLogo_Splash.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ui-strings.js.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar.113-B5B-0D4	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\!!! HOW TO BACK YOUR FILES !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\!!! HOW TO BACK YOUR FILES !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\WideTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-high.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\speechless.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sc_16x11.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-400.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-150.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js.113-B5B-0D4	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\!!! HOW TO BACK YOUR FILES !!!.TXT	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\!!! HOW TO BACK YOUR FILES !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-48_altform-unplated.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_32x32x32.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main.css	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.113-B5B-0D4	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml.113-B5B-0D4	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT svchost.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1924 vssadmin.exe
3672 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT	svchost.exe

pid	process
1924	vssadmin.exe
3672	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 89 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe
Token: SeSecurityPrivilege	904	WMIC.exe
Token: SeTakeOwnershipPrivilege	904	WMIC.exe
Token: SeLoadDriverPrivilege	904	WMIC.exe
Token: SeSystemProfilePrivilege	904	WMIC.exe
Token: SeSystemtimePrivilege	904	WMIC.exe
Token: SeProfSingleProcessPrivilege	904	WMIC.exe
Token: SeIncBasePriorityPrivilege	904	WMIC.exe
Token: SeCreatePagefilePrivilege	904	WMIC.exe
Token: SeBackupPrivilege	904	WMIC.exe
Token: SeRestorePrivilege	904	WMIC.exe
Token: SeShutdownPrivilege	904	WMIC.exe
Token: SeDebugPrivilege	904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	904	WMIC.exe
Token: SeRemoteShutdownPrivilege	904	WMIC.exe
Token: SeUndockPrivilege	904	WMIC.exe
Token: SeManageVolumePrivilege	904	WMIC.exe
Token: 33	904	WMIC.exe
Token: 34	904	WMIC.exe
Token: 35	904	WMIC.exe
Token: 36	904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeBackupPrivilege	196	vssvc.exe
Token: SeRestorePrivilege	196	vssvc.exe
Token: SeAuditPrivilege	196	vssvc.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 2704	1112	f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe	svchost.exe
PID 1112 wrote to memory of 2704	1112	f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe	svchost.exe
PID 1112 wrote to memory of 2704	1112	f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe	svchost.exe
PID 2704 wrote to memory of 2096	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 2096	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 2096	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 1876	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 1876	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 1876	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 1168	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 1168	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 1168	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 3628	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 3628	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 3628	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 3804	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 3804	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 3804	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 512	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 512	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 512	2704	svchost.exe	cmd.exe
PID 2704 wrote to memory of 2488	2704	svchost.exe	svchost.exe
PID 2704 wrote to memory of 2488	2704	svchost.exe	svchost.exe
PID 2704 wrote to memory of 2488	2704	svchost.exe	svchost.exe
PID 3804 wrote to memory of 1924	3804	cmd.exe	vssadmin.exe
PID 3804 wrote to memory of 1924	3804	cmd.exe	vssadmin.exe
PID 3804 wrote to memory of 1924	3804	cmd.exe	vssadmin.exe
PID 2096 wrote to memory of 904	2096	cmd.exe	WMIC.exe
PID 2096 wrote to memory of 904	2096	cmd.exe	WMIC.exe
PID 2096 wrote to memory of 904	2096	cmd.exe	WMIC.exe
PID 512 wrote to memory of 208	512	cmd.exe	WMIC.exe
PID 512 wrote to memory of 208	512	cmd.exe	WMIC.exe
PID 512 wrote to memory of 208	512	cmd.exe	WMIC.exe
PID 512 wrote to memory of 3672	512	cmd.exe	vssadmin.exe
PID 512 wrote to memory of 3672	512	cmd.exe	vssadmin.exe
PID 512 wrote to memory of 3672	512	cmd.exe	vssadmin.exe
PID 2704 wrote to memory of 2892	2704	svchost.exe	notepad.exe
PID 2704 wrote to memory of 2892	2704	svchost.exe	notepad.exe
PID 2704 wrote to memory of 2892	2704	svchost.exe	notepad.exe
PID 2704 wrote to memory of 2892	2704	svchost.exe	notepad.exe
PID 2704 wrote to memory of 2892	2704	svchost.exe	notepad.exe
PID 2704 wrote to memory of 2892	2704	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
"C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3672

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1168

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:196

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
49f30697c634c40272e3aa13c370279f

SHA1
bd543555d20162a2afcfb3a0f85cde37b7faf0db

SHA256
c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3

SHA512
ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
efc275dbc9e66fbbc84cfac31aeabfd0

SHA1
46458fe09b1d29198cb1c143d5f8d517850493f5

SHA256
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

SHA512
45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
efc275dbc9e66fbbc84cfac31aeabfd0

SHA1
46458fe09b1d29198cb1c143d5f8d517850493f5

SHA256
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

SHA512
45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
efc275dbc9e66fbbc84cfac31aeabfd0

SHA1
46458fe09b1d29198cb1c143d5f8d517850493f5

SHA256
f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

SHA512
45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

Download Submit
C:\Users\Admin\Desktop\AddReset.mov.113-B5B-0D4
MD5
67e3b1da2fcf65af34329eaf261c31e4

SHA1
928a0af3c7083dafc79816435394d9f8ace28773

SHA256
b5bae3c4587c100fb9b96ec890e57eecfa81bc6768e43844eeae6b8488806d53

SHA512
7465712ccb29289a92bdc4aede9fad16b82fe9dd3fc0c0c53aac5295017e860b9540d4c0acadda346410231361abeff3ac31ce8ea36d9f3ae010dbeabea8f37d

Download Submit
C:\Users\Admin\Desktop\ApproveNew.wmv.113-B5B-0D4
MD5
3d0a6a29d49131930e70f9ca942cdcb9

SHA1
9231e6a849edeb3306d811e2b26f1c11c5d269ff

SHA256
b6f2a1cca51a942651ce2182c42b820d723f563da7f394a32aa21a4880d9ad0e

SHA512
a4568cc63e94ca039e89809204bdce71af0337efdf40a02779b11ce4561ada4d6eb5493e133e5bbf5266c03de2031e9b018e8ec503e448ab2857f9984306c310

Download Submit
C:\Users\Admin\Desktop\AssertImport.shtml.113-B5B-0D4
MD5
859f75a3574cbdc60d824e9969d046c0

SHA1
6ec6ef0e52447d1ae77c0f5e15f6f7f78f5bda73

SHA256
a692d8520a8f96d4f3cdeb5db898a34fff48101e3246f788daff095dedf919d1

SHA512
2acbc3e5b1544992c0f09c0f64988dc43b745d0d5b3a23483da4ac9ed06e4561701680403899b72a1bd44ee524a2d9ebd58f71ef4e024e566298db29aa25a094

Download Submit
C:\Users\Admin\Desktop\ClearCompress.docm.113-B5B-0D4
MD5
218966c36147ce36d7fe9f8ea11bc653

SHA1
478eca382222666776e4e34be5dc215e762d0c93

SHA256
819365c5892866f58a78647a85a8c4006fca140192fc9336e318367163882b4e

SHA512
5457cb1d69aefb39a8b506f014ab4dfa2c9ae8685f99d51541569bf51dc99d28e2476fc05debacfe6e4700d5b71a560482c020d004c5df7e4816053f3a3373af

Download Submit
C:\Users\Admin\Desktop\ClearConfirm.gif.113-B5B-0D4
MD5
2f86392190575d08d054f1e3aaec50ed

SHA1
d01546f340e3efeffba65ade0d4ab1fa7b28654a

SHA256
53feb45a0326f0475494823673f823720e0e96d65750d9558fcb16b85bae68a7

SHA512
24dacf276b1bcd995ce2def2baa614d256a2e0109c9fa7cd180ef2fa064eb95a36f82a14f8e1b5165cf4fda88e9d8c73707cfd325129181af489b6c27b09e09b

Download Submit
C:\Users\Admin\Desktop\CloseResize.odt.113-B5B-0D4
MD5
13a7c093c8f7dd08a57ff511986163b8

SHA1
1339573eedf84171801d90c5fcbfd3efdefb41af

SHA256
121e0359596c35f235335e7ac3783ca2c7e40bf9917a249cfebef4f870adc17c

SHA512
a1b3364d2bfb369f30b97566757bf2bd4d610c740bf94500900ed17b17f1362a03d2f3aabcc4a966a32306793f5528ee20cd1022a44a3fd6e445040dba8960b5

Download Submit
C:\Users\Admin\Desktop\CompletePing.ps1.113-B5B-0D4
MD5
5db39e49dfacd4677f985820d50718b8

SHA1
3bd91dd52ab49dc0aed6cc2baa46edc60c51437f

SHA256
48268dfea1b524db83daff67aaff07d7bdf49c13fa251033952ca909ada78078

SHA512
a2149cfa528252a6cb86be609d97e85ea5659212af3dcd20011f51700a3dffd19d11970a3427f64ae9fea84912d38d47b1ce52b788e5741b8bbd9cbe1167063a

Download Submit
C:\Users\Admin\Desktop\CompleteRequest.3g2.113-B5B-0D4
MD5
689c3f41965b2c91eab6218b8ba9d2ea

SHA1
bf87e1d450d44931ee7a62c2af97ad27b3d918e4

SHA256
876ef53963f61e1809b5c8fc7fefd9eefc8906aea92ef0a02bfc801456278264

SHA512
5b8af48d2a13edd612ca51a26c4e83c6ce269de3373f09780dcf5d9b3a9f583988c73bc9c87cd06ebdac6a6d8a094d529fd1ad0453ec16deb0f17cea857d5534

Download Submit
C:\Users\Admin\Desktop\ConvertToConnect.MTS.113-B5B-0D4
MD5
302c00490ce9a27e1144290c0c19b1fc

SHA1
b06dd333398465a77aa175429398c42b9f219bd7

SHA256
72204b83dc4a575ea37778d01b4ae669409c7ec54ee78f3a13dca9002ec8b111

SHA512
bc90a6a1fac5d065bae294b6d3a692d29480582a2d1e097e0fee8ad542a0ddf0b3cfc58db814e3e766c6237c138df758869775c264ac12a4711c839b7534f67a

Download Submit
C:\Users\Admin\Desktop\DisconnectGet.ocx.113-B5B-0D4
MD5
7171f7051f578b0eb482060d5de7f9ef

SHA1
542030c99cbd169414a46d4bc8d5107ecc313031

SHA256
d39ae5820349980face9603d850ca9a0c75147c99cffeb0ab9b5a40ef3ec8e4a

SHA512
07729fde0ae2cbf6002909eb17e8d476f2a1da57311f337bf6e1b13a616d20d9ee2f5ef5bbca15585127caf72fde7e1800b20cc399ab802098a75fcf5cb974b0

Download Submit
C:\Users\Admin\Desktop\GroupWrite.mov.113-B5B-0D4
MD5
2822a2b9dae64bed97d9508646f1f252

SHA1
e1a6676733141cec3a9e48494dc5ee319d83fd9f

SHA256
e4681e97d0533c1aa5a3e9d2deb12258630fffca5e75243dbfb18c75ac53ff6c

SHA512
6f625ef36be556d23fe6b4e911a022713e472f7bd130779d8767075d56007b08e0053c2ed3df003ccf04eb10296cc600146e0c1462dc2bfef446507ece52684b

Download Submit
C:\Users\Admin\Desktop\InvokeMerge.mpeg.113-B5B-0D4
MD5
0e9af9ee6fd7f05969b598cdf26f8d7f

SHA1
c6f5212b5225c55c3d89d3016539caefbeef35fa

SHA256
7fcbbf5438abebc8cb7271ef991c7d9d88d1835e7c596850868190092b8058c4

SHA512
193bcbdb48ebaf6ab25865dba7ff4be2aadbd7811c0c31cb226ff4a4156c2d9205bf0d59fe15d4f86518627290238c91dbc6c7a131c2c169d7b29f4655453551

Download Submit
C:\Users\Admin\Desktop\LimitReceive.cab.113-B5B-0D4
MD5
02eae1a5c694f0e46249698e58030968

SHA1
3a9980aa5934235ef364682230a7c951402c8696

SHA256
f7b29d5091d6e43d53c815575e1f6868f29ed287479438cd853e9e586703a1c6

SHA512
d90a949a3581c5efcef927fd14b79cf935b63a51f74dc5590d13e2a94e888c7559944b6bcaa086309dbe067e2c7f6919592b315f274e29eb957003417f35d798

Download Submit
C:\Users\Admin\Desktop\MergeUnblock.MTS.113-B5B-0D4
MD5
c4b04f5c08a34ae5616770097da486c1

SHA1
59c4967358bda8f41c8dd50fa97be291e7741328

SHA256
a6101e36e60b4963b0354e38411b9d11e3867a4aea5c635e69871f90c9713c7a

SHA512
4edfaa247946d95389711f90550c4b3f989be8a79aab0c886ab8ded0a5a5b3f2de8fe9b1fe04c98fbc94136400601d03d4b9d663841463557932d623af47d1c0

Download Submit
C:\Users\Admin\Desktop\ReadConfirm.vssx.113-B5B-0D4
MD5
1b3b289788cd841843a31546dd1ff4cc

SHA1
9335a35dfb672f9ce2bb8a54b63ef21de3c25018

SHA256
000e0bd24ca0f5ae766e560107a4da8e708463b5f124dd8dbc2d4287a62f6033

SHA512
3bb47ddeec668d0fc28befd0f01fbda66b76c5af1854553bd9ec6df10b1e8352e3a4133b58eae7a4d66568fafa059ce010e7ff3fb702941101abd3a73dcf60bf

Download Submit
C:\Users\Admin\Desktop\RegisterSubmit.3gp.113-B5B-0D4
MD5
5598f60b5fee73b54a40e80e839caca6

SHA1
e7676583e87a51aaed9480823e66bb47b4a8b16e

SHA256
8087d9ed2d925f41b738e4ee6e75719b65c53dcc2696be72449ffa8cc3e8f2ed

SHA512
10103b06333d2c2561001d44f8272ef71f25f89cadabffea15bd285ba288595ac8a25543f4fde55980be06adbe22b1a36835a9b293eab5f58615cf1c0db93fe2

Download Submit
C:\Users\Admin\Desktop\ResizeStart.mpv2.113-B5B-0D4
MD5
d5d3e4ccc2729d5d44a9a2cbc3b8b9f6

SHA1
8f415bf3b54dfb702de0018dc5621790646b2c2a

SHA256
aa077c695846a60aacd56d18efc00c27d0dae63cd0b46b03e2da3518956cf6a1

SHA512
da381866a0d08557b795922275d9ce2f0a7948e93df132a0243a0c653d7c998ed7fedbca1891b8c014e356c0af1e712e1736f5b9163f6397a261f2a92b943295

Download Submit
C:\Users\Admin\Desktop\RestartShow.mp3.113-B5B-0D4
MD5
4b293ad190f836a4af43674ecaa80e48

SHA1
e345e59705c91fc38737f95ee5dcaa5a4cfe0758

SHA256
e4a8fa7ef714178183e851f86e5e20dde20a30127a890abfbc73239878a8963a

SHA512
f4513343478eb0dc0024117f4a746c5538a39c4d732f8bcf2c90afaecad47956e3bf0059aef31641ad830aaeb3d0b83af0973e504016cbb39489b4e429eb4462

Download Submit
C:\Users\Admin\Desktop\RestoreRevoke.asf.113-B5B-0D4
MD5
e6c11f18cab8fb1fcd22578f24ee5794

SHA1
2af13e175429784ce437b80978f774bd84f0c6b2

SHA256
99d6da8d821dbc81435caa275d96fa29bddf495c50a66e0665e8d57d2304fddc

SHA512
f82e0f51a6e268b8478c6e6a9db38cfc1883cdd9af5564b9b0bb6b14a0235339d08d20206cd627a177f0169688faf0b08cd9030098af6a38169c863066579b84

Download Submit
C:\Users\Admin\Desktop\SelectDeny.html.113-B5B-0D4
MD5
8cec0e3f228b02c81c2e33fbfc04d3fb

SHA1
fc2378aca1997d0b96322c8391c58e32b703fd77

SHA256
5bfc1e1785d4f4356724ec66d90ce7964eb9efa44cf871b0749eaa205e398685

SHA512
4c6dd9286991f1d83cd9eb24b843b544f74a0f80bf339772898ad2dc8e34909629f154b0797acf81134ab0ef30a836d87a7b8e9c3365e51076e3d76b645e956e

Download Submit
C:\Users\Admin\Desktop\SetShow.clr.113-B5B-0D4
MD5
c4b3f4d81a270bae9fcd8a49778dd4e1

SHA1
a5aded11450f0230b48618ccabc31da108401408

SHA256
76bbd7014ffcb77189abd9b55f41712de263ea4dead4c7d499ae3d47ddd05ac7

SHA512
256467d981c49be2b58c0f30312cf6041bd4f62a9f3b45e4bd7f6d40fbc596924594e656fc4c565486832ae3813f817f1bbd49b24a8faee0ca3ebe263fa77b97

Download Submit
C:\Users\Admin\Desktop\SwitchProtect.dwfx.113-B5B-0D4
MD5
5ceb1abd0c12f176b0bdd5910ad8c859

SHA1
64ef66aad577913f6375fdce7515b2e34f44e7f9

SHA256
8fe1360938d787f76beb3d88a8156c50ce4a040700fdb618a36ba82bde2e07da

SHA512
4964bd2223a03da8670e65c2359b398027a432800fe1eebc9863359d5d77139e9cc9433a47bbda58a86b7819484224c7a548cbd1cddb4561f50e6ef61ab88319

Download Submit
C:\Users\Admin\Desktop\TestPop.TS.113-B5B-0D4
MD5
27f36d3c97284fac9b45690c644cbdaf

SHA1
d06749ae2116391a0cff3a00f3e202296d692e6f

SHA256
d661969b6ccd791a9a90c30f1052a0d68b3bc99b106d5a529eba73c2bfe3a7b1

SHA512
6fb89a4c21564d60e206a480e9ffc5fad983ff119b9523fe1b159fe0465457ccb58e1313223078eeb0d78b4d4d76548d0b57b0818fc77ec2eb9bc8c9fdf2e967

Download Submit
C:\Users\Admin\Desktop\TestSubmit.rmi.113-B5B-0D4
MD5
a9847bcfe8b437350330bd0c2a21338e

SHA1
4dbb342ece691bfe7f8b2c9fffa55b2dd87e2d30

SHA256
611773bf5f095edfa42dafb839ec4feb4ed6c93ab0c9bce0ede3263327cc053c

SHA512
eddc46f2935c3ee80dd79538877e080ca96e0612e85cb60e8eaa79dea7af23b42aba4873c2785bf52b576e1fa783e9302797ae6bf25bad38f9887b40e2e4faa4

Download Submit
C:\Users\Admin\Desktop\UndoInitialize.raw.113-B5B-0D4
MD5
9c7ea46d5d9e9070add88d41cfca6f05

SHA1
1b4eeccb8c15e0de9919bfdeb7db83f4a52b2412

SHA256
fc7adce262aaf985c2a2ea024eb64528b591cdb580792a281e3dd56405445665

SHA512
8f355cc263e1e3f9765f8b07cb05499a49981733e375f76181c2311c6281557b0e432e9f4b82335a62c7c39f8a522264b82d61331097a788360527daccf6676b

Download Submit
C:\Users\Admin\Desktop\UnlockAdd.ogg.113-B5B-0D4
MD5
190a4ff0303194756582da4334bf0c59

SHA1
937edea79be629fea360c7cfdbd82d9524ddd73c

SHA256
c3411ed725ae760ee32ce4d5f46624df14f0ed06cef134cf9e172bfeba3a1e63

SHA512
644de955374a3c32668a73029174271a69aaed01a783d6a56ce7255264b07cd1385d64149b9c3a3d93530f98e14e843ed013dd5e404d7084b2b8e3ec8ee53b51

Download Submit
C:\Users\Admin\Desktop\UpdateClear.midi.113-B5B-0D4
MD5
bd526caadd581a5cbcfa291c7cf228f1

SHA1
92cf8c2a3751c6ee3a2da2f44d9a4794dc69ef85

SHA256
9908f4fa1581faf046aa88ab51f8fe81f07c4a002342e4be30f6013197eb8ffd

SHA512
052161f166b58b14b6daf3c4869a9fa7a6d8a1570427ccca8217ea46bff3cca01af2e65258e01cc518d82015ab2b505f4235f6f9fecd0b5982ccd63855b15839

Download Submit
memory/208-16-0x0000000000000000-mapping.dmp

Download
memory/512-10-0x0000000000000000-mapping.dmp

Download
memory/904-14-0x0000000000000000-mapping.dmp

Download
memory/1168-7-0x0000000000000000-mapping.dmp

Download
memory/1876-6-0x0000000000000000-mapping.dmp

Download
memory/1924-13-0x0000000000000000-mapping.dmp

Download
memory/2096-5-0x0000000000000000-mapping.dmp

Download
memory/2488-11-0x0000000000000000-mapping.dmp

Download
memory/2704-2-0x0000000000000000-mapping.dmp

Download
memory/2892-45-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2892-46-0x0000000000000000-mapping.dmp

Download
memory/3628-8-0x0000000000000000-mapping.dmp

Download
memory/3672-17-0x0000000000000000-mapping.dmp

Download
memory/3804-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads