buran | 54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7v20201028
submitted
18-12-2020 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imposter11.exe
Size

446KB
MD5

567204cbb8d1c5908a5316f9dfdcb353
SHA1

cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA256

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512

ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: China.Helper@aol.com ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 64E-E71-262 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid process

1796 lsass.exe
2024 lsass.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

lsass.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\TestWrite.tiff lsass.exe
Loads dropped DLL 1 IoCs

Processes:

imposter11.exe

pid process

932 imposter11.exe

pid	process
1796	lsass.exe
2024	lsass.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TestWrite.tiff	lsass.exe

pid	process
932	imposter11.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

imposter11.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	imposter11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	imposter11.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe

Drops file in Program Files directory 15266 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\!!! HOW TO BACK YOUR FILES !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9F.GIF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx	lsass.exe
File opened for modification	C:\Program Files\GroupSelect.MTS.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\!!! HOW TO BACK YOUR FILES !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\!!! HOW TO BACK YOUR FILES !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297727.WMF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC.64E-E71-262	lsass.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\!!! HOW TO BACK YOUR FILES !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF.64E-E71-262	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF	lsass.exe

Drops file in Windows directory 1 IoCs

Processes:

lsass.exe

description ioc process

File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT lsass.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1524 vssadmin.exe
1748 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT	lsass.exe

pid	process
1524	vssadmin.exe
1748	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1156	WMIC.exe
Token: SeSecurityPrivilege	1156	WMIC.exe
Token: SeTakeOwnershipPrivilege	1156	WMIC.exe
Token: SeLoadDriverPrivilege	1156	WMIC.exe
Token: SeSystemProfilePrivilege	1156	WMIC.exe
Token: SeSystemtimePrivilege	1156	WMIC.exe
Token: SeProfSingleProcessPrivilege	1156	WMIC.exe
Token: SeIncBasePriorityPrivilege	1156	WMIC.exe
Token: SeCreatePagefilePrivilege	1156	WMIC.exe
Token: SeBackupPrivilege	1156	WMIC.exe
Token: SeRestorePrivilege	1156	WMIC.exe
Token: SeShutdownPrivilege	1156	WMIC.exe
Token: SeDebugPrivilege	1156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1156	WMIC.exe
Token: SeRemoteShutdownPrivilege	1156	WMIC.exe
Token: SeUndockPrivilege	1156	WMIC.exe
Token: SeManageVolumePrivilege	1156	WMIC.exe
Token: 33	1156	WMIC.exe
Token: 34	1156	WMIC.exe
Token: 35	1156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	564	WMIC.exe
Token: SeSecurityPrivilege	564	WMIC.exe
Token: SeTakeOwnershipPrivilege	564	WMIC.exe
Token: SeLoadDriverPrivilege	564	WMIC.exe
Token: SeSystemProfilePrivilege	564	WMIC.exe
Token: SeSystemtimePrivilege	564	WMIC.exe
Token: SeProfSingleProcessPrivilege	564	WMIC.exe
Token: SeIncBasePriorityPrivilege	564	WMIC.exe
Token: SeCreatePagefilePrivilege	564	WMIC.exe
Token: SeBackupPrivilege	564	WMIC.exe
Token: SeRestorePrivilege	564	WMIC.exe
Token: SeShutdownPrivilege	564	WMIC.exe
Token: SeDebugPrivilege	564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	564	WMIC.exe
Token: SeRemoteShutdownPrivilege	564	WMIC.exe
Token: SeUndockPrivilege	564	WMIC.exe
Token: SeManageVolumePrivilege	564	WMIC.exe
Token: 33	564	WMIC.exe
Token: 34	564	WMIC.exe
Token: 35	564	WMIC.exe
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1156	WMIC.exe
Token: SeSecurityPrivilege	1156	WMIC.exe
Token: SeTakeOwnershipPrivilege	1156	WMIC.exe
Token: SeLoadDriverPrivilege	1156	WMIC.exe
Token: SeSystemProfilePrivilege	1156	WMIC.exe
Token: SeSystemtimePrivilege	1156	WMIC.exe
Token: SeProfSingleProcessPrivilege	1156	WMIC.exe
Token: SeIncBasePriorityPrivilege	1156	WMIC.exe
Token: SeCreatePagefilePrivilege	1156	WMIC.exe
Token: SeBackupPrivilege	1156	WMIC.exe
Token: SeRestorePrivilege	1156	WMIC.exe
Token: SeShutdownPrivilege	1156	WMIC.exe
Token: SeDebugPrivilege	1156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1156	WMIC.exe
Token: SeRemoteShutdownPrivilege	1156	WMIC.exe
Token: SeUndockPrivilege	1156	WMIC.exe
Token: SeManageVolumePrivilege	1156	WMIC.exe
Token: 33	1156	WMIC.exe
Token: 34	1156	WMIC.exe
Token: 35	1156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	564	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

imposter11.exelsass.execmd.execmd.execmd.exe

description	pid	process	target process
PID 932 wrote to memory of 1796	932	imposter11.exe	lsass.exe
PID 932 wrote to memory of 1796	932	imposter11.exe	lsass.exe
PID 932 wrote to memory of 1796	932	imposter11.exe	lsass.exe
PID 932 wrote to memory of 1796	932	imposter11.exe	lsass.exe
PID 1796 wrote to memory of 1236	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1236	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1236	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1236	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1376	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1376	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1376	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1376	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1224	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1224	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1224	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1224	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1608	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1608	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1608	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1608	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1592	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1592	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1592	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1592	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1460	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1460	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1460	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 1460	1796	lsass.exe	cmd.exe
PID 1796 wrote to memory of 2024	1796	lsass.exe	lsass.exe
PID 1796 wrote to memory of 2024	1796	lsass.exe	lsass.exe
PID 1796 wrote to memory of 2024	1796	lsass.exe	lsass.exe
PID 1796 wrote to memory of 2024	1796	lsass.exe	lsass.exe
PID 1592 wrote to memory of 1524	1592	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 1156	1236	cmd.exe	WMIC.exe
PID 1592 wrote to memory of 1524	1592	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 1156	1236	cmd.exe	WMIC.exe
PID 1592 wrote to memory of 1524	1592	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 1156	1236	cmd.exe	WMIC.exe
PID 1592 wrote to memory of 1524	1592	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 1156	1236	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 564	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 564	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 564	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 564	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1748	1460	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 1748	1460	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 1748	1460	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 1748	1460	cmd.exe	vssadmin.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe
PID 1796 wrote to memory of 672	1796	lsass.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\imposter11.exe
"C:\Users\Admin\AppData\Local\Temp\imposter11.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1748

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2024

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
49f30697c634c40272e3aa13c370279f

SHA1
bd543555d20162a2afcfb3a0f85cde37b7faf0db

SHA256
c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3

SHA512
ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\Desktop\AssertUse.bmp.64E-E71-262
MD5
7938f0ffedec0a05e9bd1f42fff89a02

SHA1
2ba0f57abc6217b16c1165a5af246283e6d1b5ab

SHA256
b75510fcfeb8d3447a84dcf2dee80e3ff56059f41009e57e08c3b7a6aa9326da

SHA512
8d9b78f20b87fde1a619d79cce7c6589c78f686e3000623ac6ad1f20a07a7be1005a38c82e3f7cd4455b4c964733d67de63e8d8cf08994a5f45b6851cfde6fe4

Download Submit
C:\Users\Admin\Desktop\BackupMount.M2TS.64E-E71-262
MD5
84fa3d441aab8048b38ef2484fa0f722

SHA1
31c665e9423a8732a0a6adb6a61a29d15a24ba73

SHA256
4d49a58b5dd26ac67e7399631255aa808191a51fb4a9aff0ce2b68173a410a21

SHA512
665ad71743a9032c7ad114329032bcffc98188db243cc01e7277b3b3e13aa958645c704e3cc70921c09acbd0ee50676402663b42b86e54fba5b2e559981cae72

Download Submit
C:\Users\Admin\Desktop\CheckpointOptimize.css.64E-E71-262
MD5
4eee444df6b14e0a984ed2228e2f072f

SHA1
510abf8b26db0de4bcd642a17386226ebcfa00fd

SHA256
19707b78573ec3fa4330a02885a27248cc01cc69cae43e59f1140581cbe1d3eb

SHA512
8036e37e6927cd2014f70e4d0510c2a7d19613813a832d3c460725f359042907660b3dd0324213a41a4a80b66d8e19a2e15c065ccfcaa369113b2feee638902f

Download Submit
C:\Users\Admin\Desktop\CloseUnregister.i64.64E-E71-262
MD5
6705d872dd6ea05e36f54cda7c74f9f9

SHA1
4b5a55c09f271c7f87f438d6f03c25508c990fd9

SHA256
ea59fbf11d6ef3eafb13c84f865aed746c14071770a06cc1c0b67f7506cb19a2

SHA512
e636cda1bf0494f3324a59010e809396a019323422ea4998bd10d938e67911a59d406e3573d98b3587d24e314914c283a84d167f59bcd5b2b88b0ab17b7702c4

Download Submit
C:\Users\Admin\Desktop\ConnectRedo.ico.64E-E71-262
MD5
01fa9bbeb9dadb5dfbf78bfdba24ae86

SHA1
88aa61902090d550ab08de7173e82c9d4cd7e37c

SHA256
1ad09340e6e343f2030c734a6d5d7a7c5baae1b8d9e235c638263ec252654f58

SHA512
25f0d18ee2bcaf041faba6ac8c42df58870879f536f04e604d23795ad70e0c9e541840713c301b9bceda4584efc73e23b21be1776993526ba1fb733acaade96b

Download Submit
C:\Users\Admin\Desktop\ConvertToNew.htm.64E-E71-262
MD5
23770b81c2c6fedef68036c892bccbd1

SHA1
52b6e75407e99e27f6542d2649cf96fa1ec1e774

SHA256
1d4c66d07170c38f11d9e593a870d0564aa93c04f5250f94ae483b0d73b04cab

SHA512
b366e14ff1278f831db53151e72917f5e4919590576fff7b88a79405ddb311df7fefc50c2135fa3269cd06402787699ea9fafaec4f838eb9dc8e278d36d98b59

Download Submit
C:\Users\Admin\Desktop\ExitUninstall.vstx.64E-E71-262
MD5
c5b240687e1a16f773fc23d2f20394fd

SHA1
e311951a60a06a7c7bbce72ef00021fc13da5dd1

SHA256
89847cf8d9d534c82fcce632996582b0da01151d8e08de011b34e376a68e95d1

SHA512
9d86f63a50ff61ebae4f035bea656f4a366460d239a6c101769c95ba7b0af969f8425aacc7d886373ef597d7af33dde3bd5344f930348e5772663bd33076bc6c

Download Submit
C:\Users\Admin\Desktop\GetUse.ADT.64E-E71-262
MD5
b9735e1c41db7fc4cee370b175799120

SHA1
e29a574eb564ac16e24e31ad4b0a6111f169ac29

SHA256
74657b14b9e9454da1ff3fba1b9105451c7c4a4bf11a295891b8da42ccd657ec

SHA512
aafaf52ed4925583c927f6e2744faa9861fb42f36f5623b0be2387b6f1d2d6047ecca5d20fee4ad593f566a41572959484694d78993a85c8a94c6ffb72df87b3

Download Submit
C:\Users\Admin\Desktop\InitializeExpand.cab.64E-E71-262
MD5
232dd451d7bb016f1edb39118436d878

SHA1
67e1757aa0148121003d8e5f9e81afbdde13ce26

SHA256
36a0765c8ab463209c8199ee4f868b9d3ad0b418d96c0d5fd58ec47a3eb851ab

SHA512
848c174c4932413128591c358edad58496d7b64ed2a21b428c0d5881e7e3c6db63da1899f6c6c7651fdf12ad5a604838fdc7d40dcdfc4ded2dcdba4fd2b8bb3d

Download Submit
C:\Users\Admin\Desktop\NewInitialize.pot.64E-E71-262
MD5
d61ec3730b589fb15526b1b8ecd3acbf

SHA1
21c1c0fc21b7dad8bef64d8fd27d125fb8aba2e8

SHA256
3ae12125a03e294010d7258b79e782fca10b646ae1124d41c7b50279f0b6a787

SHA512
576166b572e460d18713e4542ae8c82f80d33b6ffbe667719efe85695361d5292b6b4bf3696bbc0d9d210298076ead1de5031adaa3e34ca5206ded85ef77ee85

Download Submit
C:\Users\Admin\Desktop\OptimizeInitialize.dib.64E-E71-262
MD5
1685d18fdecd13258fc74c80208cc401

SHA1
1db6bdcf324ddad5028c9a0c16316e5e4f8960ca

SHA256
543bbe2903a13d7f9307fcc37c669c77ffc63c733f13458bc7a237f4b54e2a32

SHA512
cf7ad83b921c62e13b19b57317fc823201f20b3eb988d786b74636912543491efab7c9287151b1a98f4ffd537d5d0ac391fa3a6c396f22dad3df7ef78cc3aaee

Download Submit
C:\Users\Admin\Desktop\PopRestore.bmp.64E-E71-262
MD5
aaf46ca9d36c4e5a38cd4f0fa62f3060

SHA1
58e490581942467f6e0780515180ead280cbc30a

SHA256
1e007a8750d3ae03db625c9fe72e928e5a962818a771858d53ec5ff201e66555

SHA512
65efbcee7d7db79ebc750d4ce50c7ca005c9d8066b6e63054e01f5b2dcaf2fdc609e8b0e1df91c67c7b73e8ab0c45c9c4a3f9682414ef960be9a44ba22f1d3f7

Download Submit
C:\Users\Admin\Desktop\PopUnpublish.ico.64E-E71-262
MD5
d2c36587866ae530e11e881f3392180f

SHA1
207db17d4007856e90c2ffc0f652bbbf513a3b55

SHA256
d8ea4c22e1b4abb7e5d7785092912f5951c1f5f0de058f6b10efa8db601d801b

SHA512
c118019fb5b2a1eb44b9de5da236af2a97f57fd034d53d5dfe9f681278d0e02753ca2c0d50bbca87839f2a3fc0d1e66b059106d51a870bb13fca059a335bc008

Download Submit
C:\Users\Admin\Desktop\RegisterUnpublish.docm.64E-E71-262
MD5
81bcad91569a00abd2edd2f47ff30d93

SHA1
14ba289fa20a3b1743001a191112deab1feb481b

SHA256
bc3c88b2e39efaa1299a59a8b864937b906665da47fd8f160a91f9330facede3

SHA512
9997d0d3d2b78ff1a4516f462933f288a4b7e0a43e09682ccd07fac40d4a1ca3df365a8bc3963116827ffe03f3d0bd1158a5039f2cf216d2156ef9e6954186be

Download Submit
C:\Users\Admin\Desktop\RequestPublish.ttf.64E-E71-262
MD5
8b33e4e1eed24dd52e420009089e5071

SHA1
1d7c104795502aeac1aadc328bd0362fefe6d0ca

SHA256
fdd3456196e0255abcf6a7d0bf3e01e343bae5128dc08696759ce19290bb8d82

SHA512
93400736fe9f90d5affab46c1f80864a786700f5227011d1b19b2d9d69a8f4e5ff9aae142c31145b666861a873ba7c3b0156ed5bdbac09337496e260e845ded3

Download Submit
C:\Users\Admin\Desktop\ResizeCompare.raw.64E-E71-262
MD5
114b6b7e73e0489acd80f1624437f491

SHA1
4e5838dbf21e67428a24fb8fb8397a932cbc7cd3

SHA256
371fe48cc5b8dc9d27e6ea3303599b2e2fbe0deb988828930beb96b043353e72

SHA512
2f867e3ce1a3e4a0d14ec70e7e84fb41f9828f382ec66602000c7cc7de95ff0d53fe402fd8fcbb38b94cb598715ac9c4200c2b78f710be1bb0413c871678cb06

Download Submit
C:\Users\Admin\Desktop\ResolveInvoke.ADTS.64E-E71-262
MD5
42200621ecdc9ee4c573a3de42271dd6

SHA1
b8d49f998c0e06516ee29aeacc2728d423038a7d

SHA256
9fbfe95f10893a4beaaa65774e995d81bfc1d526b27275df5463934f769381fc

SHA512
5a9e9fca2765ecab79330c9d4cdbd1173b3705c13b0f565eedf315db9e18dc50e815cc7d935ea37c01e43916657a1a5918a471b2d7dfaf4865a23e380c134347

Download Submit
C:\Users\Admin\Desktop\RevokeEnable.xsl.64E-E71-262
MD5
b832570f0063c2941e4841c8d1565f73

SHA1
c9c5f4cd0cdf736694b9e9b9c8dec65658abcd85

SHA256
69bd4e94e22c16dfb4a4c4b83a1e5091bfe35957f0e04f2707212a56c9039c85

SHA512
30213519aab3305096958c639025735b15aa319ae50f9328eed67359d16ca6dc953545e81fed29e61efd0febff63cc47403d9523747ca124c486314e3d22c6b7

Download Submit
C:\Users\Admin\Desktop\SendMount.raw.64E-E71-262
MD5
e71ad1c841face82d471f65399aa69d6

SHA1
842d8b161b8c95b79c22e04a38690943f9927b26

SHA256
a33c4e4e1f3b225a896ea4d6b18adb8e820f64975e9e831cedf3b1f071ff880f

SHA512
f85dca3734a1cc4b9daf18a9e56611ee7cfa16edc670784968a869a0c559a9110f58e98a7e246f1eb5a440af34f6b4083231383130380359edf78f2a2cb63ce3

Download Submit
C:\Users\Admin\Desktop\SubmitConnect.WTV.64E-E71-262
MD5
27e6c18dfabf2067bd1d3c0b3eae6ad0

SHA1
b86e666745eabc268922c666a527d33d36d86cd3

SHA256
d92b041db398b9b4ba20a2916974f17c26ebf60abf818e2a14f00e5979877d50

SHA512
9716a55b4c637a3fb39c2b75f8001d792f2e661ea9a2a0a2b72fe7cd12c75997842f67cca0977f13429e392eed9be1e1243060ffa353279b87fbaea8aa2362ae

Download Submit
C:\Users\Admin\Desktop\UnlockFind.png.64E-E71-262
MD5
57cd516d3a0f4199803b4303d5d189d8

SHA1
c3e5550d7654f78e2c8ff00a9fc325085de3a198

SHA256
bfbd9058bc1bbb3ad3cd794e6a2764fb51c3c9a411dc244ea4050a183ca668c7

SHA512
9766b9445c99e0c81ecaa9f3d091dd28042f58b2b133dada0fa23611b33402223e97493aadfa60decd613395c21678fdaa6c58dad3dbb5c0d9e1b57b3d801d04

Download Submit
C:\Users\Admin\Desktop\UpdateSubmit.raw.64E-E71-262
MD5
37b5a3715a43c7049b46265cbafd3fc0

SHA1
5bd7d84a7ea30c4c64f29f7ecd35d33a3a078589

SHA256
041c530bfd841d9d8daec451b6b2632a3e5ca9fbcbb4defd6c3daf0ea3a82ae4

SHA512
c6055d853be25b58849e3e324d5340d756955efe52d55a82a58f4aa791d95f6839e8428eb6fdfe0ecfcf8627eff7e3f86c4cf9f1f5e80152a7ed45fca9c9ea27

Download Submit
C:\Users\Admin\Desktop\UpdateUninstall.mp3.64E-E71-262
MD5
0e154f00933271ddfddb309421582bd8

SHA1
82b66d7b93dcbc9aaf64c81bb0035edc6ff73c5f

SHA256
ff42f232dc8fa6637bcc365230da2e82da711f14b69e76f64aa74f8d5991d39e

SHA512
e13e67c549b84afe2481745c34b555ddaf7014426493c42f8cfd658fe00bf09d40697213f3458118059682f37e13470498379cc870b2b41c2e157313fb2328b9

Download Submit
C:\Users\Admin\Desktop\WriteBlock.ini.64E-E71-262
MD5
be5686bc65d605091e2c3ee49f9bd443

SHA1
2f219b30c2eeb3f10ed7846d1bea894208ddec61

SHA256
d1b5a94a361450180f68808baf54f9d78ae0fa966ef92e80941259e2c60611ca

SHA512
3a287d9e638a31f81b2017b9352630f7fbf882879cf97e6496d17999014ff14abcd6f454700c8baaae879f011a4eae3eefd81c25dca6003b0cf60c67cb7324fd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
memory/564-16-0x0000000000000000-mapping.dmp

Download
memory/672-42-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/672-43-0x0000000000000000-mapping.dmp

Download
memory/1156-14-0x0000000000000000-mapping.dmp

Download
memory/1224-7-0x0000000000000000-mapping.dmp

Download
memory/1236-5-0x0000000000000000-mapping.dmp

Download
memory/1376-6-0x0000000000000000-mapping.dmp

Download
memory/1460-10-0x0000000000000000-mapping.dmp

Download
memory/1524-13-0x0000000000000000-mapping.dmp

Download
memory/1592-9-0x0000000000000000-mapping.dmp

Download
memory/1608-8-0x0000000000000000-mapping.dmp

Download
memory/1748-17-0x0000000000000000-mapping.dmp

Download
memory/1796-3-0x0000000000000000-mapping.dmp

Download
memory/2024-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads