Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-12-2020 13:49
Static task
static1
Behavioral task
behavioral1
Sample
imposter11.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
imposter11.exe
Resource
win10v20201028
General
-
Target
imposter11.exe
-
Size
446KB
-
MD5
567204cbb8d1c5908a5316f9dfdcb353
-
SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315
-
SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
-
SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
Malware Config
Extracted
C:\!!! HOW TO BACK YOUR FILES !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 1796 lsass.exe 2024 lsass.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lsass.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\TestWrite.tiff lsass.exe -
Loads dropped DLL 1 IoCs
Processes:
imposter11.exepid process 932 imposter11.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
imposter11.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run imposter11.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" imposter11.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\E: lsass.exe -
Drops file in Program Files directory 15266 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG.64E-E71-262 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe lsass.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\!!! HOW TO BACK YOUR FILES !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML.64E-E71-262 lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\psfont.properties.ja lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9F.GIF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx lsass.exe File opened for modification C:\Program Files\GroupSelect.MTS.64E-E71-262 lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.64E-E71-262 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar lsass.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\!!! HOW TO BACK YOUR FILES !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.64E-E71-262 lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MST7MDT lsass.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\!!! HOW TO BACK YOUR FILES !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.64E-E71-262 lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.64E-E71-262 lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt.64E-E71-262 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297727.WMF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC.64E-E71-262 lsass.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\!!! HOW TO BACK YOUR FILES !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC.64E-E71-262 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF.64E-E71-262 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF lsass.exe -
Drops file in Windows directory 1 IoCs
Processes:
lsass.exedescription ioc process File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT lsass.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1524 vssadmin.exe 1748 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1156 WMIC.exe Token: SeSecurityPrivilege 1156 WMIC.exe Token: SeTakeOwnershipPrivilege 1156 WMIC.exe Token: SeLoadDriverPrivilege 1156 WMIC.exe Token: SeSystemProfilePrivilege 1156 WMIC.exe Token: SeSystemtimePrivilege 1156 WMIC.exe Token: SeProfSingleProcessPrivilege 1156 WMIC.exe Token: SeIncBasePriorityPrivilege 1156 WMIC.exe Token: SeCreatePagefilePrivilege 1156 WMIC.exe Token: SeBackupPrivilege 1156 WMIC.exe Token: SeRestorePrivilege 1156 WMIC.exe Token: SeShutdownPrivilege 1156 WMIC.exe Token: SeDebugPrivilege 1156 WMIC.exe Token: SeSystemEnvironmentPrivilege 1156 WMIC.exe Token: SeRemoteShutdownPrivilege 1156 WMIC.exe Token: SeUndockPrivilege 1156 WMIC.exe Token: SeManageVolumePrivilege 1156 WMIC.exe Token: 33 1156 WMIC.exe Token: 34 1156 WMIC.exe Token: 35 1156 WMIC.exe Token: SeIncreaseQuotaPrivilege 564 WMIC.exe Token: SeSecurityPrivilege 564 WMIC.exe Token: SeTakeOwnershipPrivilege 564 WMIC.exe Token: SeLoadDriverPrivilege 564 WMIC.exe Token: SeSystemProfilePrivilege 564 WMIC.exe Token: SeSystemtimePrivilege 564 WMIC.exe Token: SeProfSingleProcessPrivilege 564 WMIC.exe Token: SeIncBasePriorityPrivilege 564 WMIC.exe Token: SeCreatePagefilePrivilege 564 WMIC.exe Token: SeBackupPrivilege 564 WMIC.exe Token: SeRestorePrivilege 564 WMIC.exe Token: SeShutdownPrivilege 564 WMIC.exe Token: SeDebugPrivilege 564 WMIC.exe Token: SeSystemEnvironmentPrivilege 564 WMIC.exe Token: SeRemoteShutdownPrivilege 564 WMIC.exe Token: SeUndockPrivilege 564 WMIC.exe Token: SeManageVolumePrivilege 564 WMIC.exe Token: 33 564 WMIC.exe Token: 34 564 WMIC.exe Token: 35 564 WMIC.exe Token: SeBackupPrivilege 2016 vssvc.exe Token: SeRestorePrivilege 2016 vssvc.exe Token: SeAuditPrivilege 2016 vssvc.exe Token: SeIncreaseQuotaPrivilege 1156 WMIC.exe Token: SeSecurityPrivilege 1156 WMIC.exe Token: SeTakeOwnershipPrivilege 1156 WMIC.exe Token: SeLoadDriverPrivilege 1156 WMIC.exe Token: SeSystemProfilePrivilege 1156 WMIC.exe Token: SeSystemtimePrivilege 1156 WMIC.exe Token: SeProfSingleProcessPrivilege 1156 WMIC.exe Token: SeIncBasePriorityPrivilege 1156 WMIC.exe Token: SeCreatePagefilePrivilege 1156 WMIC.exe Token: SeBackupPrivilege 1156 WMIC.exe Token: SeRestorePrivilege 1156 WMIC.exe Token: SeShutdownPrivilege 1156 WMIC.exe Token: SeDebugPrivilege 1156 WMIC.exe Token: SeSystemEnvironmentPrivilege 1156 WMIC.exe Token: SeRemoteShutdownPrivilege 1156 WMIC.exe Token: SeUndockPrivilege 1156 WMIC.exe Token: SeManageVolumePrivilege 1156 WMIC.exe Token: 33 1156 WMIC.exe Token: 34 1156 WMIC.exe Token: 35 1156 WMIC.exe Token: SeIncreaseQuotaPrivilege 564 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
imposter11.exelsass.execmd.execmd.execmd.exedescription pid process target process PID 932 wrote to memory of 1796 932 imposter11.exe lsass.exe PID 932 wrote to memory of 1796 932 imposter11.exe lsass.exe PID 932 wrote to memory of 1796 932 imposter11.exe lsass.exe PID 932 wrote to memory of 1796 932 imposter11.exe lsass.exe PID 1796 wrote to memory of 1236 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1236 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1236 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1236 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1376 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1376 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1376 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1376 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1224 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1224 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1224 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1224 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1608 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1608 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1608 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1608 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1592 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1592 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1592 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1592 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1460 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1460 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1460 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 1460 1796 lsass.exe cmd.exe PID 1796 wrote to memory of 2024 1796 lsass.exe lsass.exe PID 1796 wrote to memory of 2024 1796 lsass.exe lsass.exe PID 1796 wrote to memory of 2024 1796 lsass.exe lsass.exe PID 1796 wrote to memory of 2024 1796 lsass.exe lsass.exe PID 1592 wrote to memory of 1524 1592 cmd.exe vssadmin.exe PID 1236 wrote to memory of 1156 1236 cmd.exe WMIC.exe PID 1592 wrote to memory of 1524 1592 cmd.exe vssadmin.exe PID 1236 wrote to memory of 1156 1236 cmd.exe WMIC.exe PID 1592 wrote to memory of 1524 1592 cmd.exe vssadmin.exe PID 1236 wrote to memory of 1156 1236 cmd.exe WMIC.exe PID 1592 wrote to memory of 1524 1592 cmd.exe vssadmin.exe PID 1236 wrote to memory of 1156 1236 cmd.exe WMIC.exe PID 1460 wrote to memory of 564 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 564 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 564 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 564 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 1748 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 1748 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 1748 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 1748 1460 cmd.exe vssadmin.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe PID 1796 wrote to memory of 672 1796 lsass.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\imposter11.exe"C:\Users\Admin\AppData\Local\Temp\imposter11.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
49f30697c634c40272e3aa13c370279f
SHA1bd543555d20162a2afcfb3a0f85cde37b7faf0db
SHA256c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3
SHA512ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
C:\Users\Admin\Desktop\AssertUse.bmp.64E-E71-262MD5
7938f0ffedec0a05e9bd1f42fff89a02
SHA12ba0f57abc6217b16c1165a5af246283e6d1b5ab
SHA256b75510fcfeb8d3447a84dcf2dee80e3ff56059f41009e57e08c3b7a6aa9326da
SHA5128d9b78f20b87fde1a619d79cce7c6589c78f686e3000623ac6ad1f20a07a7be1005a38c82e3f7cd4455b4c964733d67de63e8d8cf08994a5f45b6851cfde6fe4
-
C:\Users\Admin\Desktop\BackupMount.M2TS.64E-E71-262MD5
84fa3d441aab8048b38ef2484fa0f722
SHA131c665e9423a8732a0a6adb6a61a29d15a24ba73
SHA2564d49a58b5dd26ac67e7399631255aa808191a51fb4a9aff0ce2b68173a410a21
SHA512665ad71743a9032c7ad114329032bcffc98188db243cc01e7277b3b3e13aa958645c704e3cc70921c09acbd0ee50676402663b42b86e54fba5b2e559981cae72
-
C:\Users\Admin\Desktop\CheckpointOptimize.css.64E-E71-262MD5
4eee444df6b14e0a984ed2228e2f072f
SHA1510abf8b26db0de4bcd642a17386226ebcfa00fd
SHA25619707b78573ec3fa4330a02885a27248cc01cc69cae43e59f1140581cbe1d3eb
SHA5128036e37e6927cd2014f70e4d0510c2a7d19613813a832d3c460725f359042907660b3dd0324213a41a4a80b66d8e19a2e15c065ccfcaa369113b2feee638902f
-
C:\Users\Admin\Desktop\CloseUnregister.i64.64E-E71-262MD5
6705d872dd6ea05e36f54cda7c74f9f9
SHA14b5a55c09f271c7f87f438d6f03c25508c990fd9
SHA256ea59fbf11d6ef3eafb13c84f865aed746c14071770a06cc1c0b67f7506cb19a2
SHA512e636cda1bf0494f3324a59010e809396a019323422ea4998bd10d938e67911a59d406e3573d98b3587d24e314914c283a84d167f59bcd5b2b88b0ab17b7702c4
-
C:\Users\Admin\Desktop\ConnectRedo.ico.64E-E71-262MD5
01fa9bbeb9dadb5dfbf78bfdba24ae86
SHA188aa61902090d550ab08de7173e82c9d4cd7e37c
SHA2561ad09340e6e343f2030c734a6d5d7a7c5baae1b8d9e235c638263ec252654f58
SHA51225f0d18ee2bcaf041faba6ac8c42df58870879f536f04e604d23795ad70e0c9e541840713c301b9bceda4584efc73e23b21be1776993526ba1fb733acaade96b
-
C:\Users\Admin\Desktop\ConvertToNew.htm.64E-E71-262MD5
23770b81c2c6fedef68036c892bccbd1
SHA152b6e75407e99e27f6542d2649cf96fa1ec1e774
SHA2561d4c66d07170c38f11d9e593a870d0564aa93c04f5250f94ae483b0d73b04cab
SHA512b366e14ff1278f831db53151e72917f5e4919590576fff7b88a79405ddb311df7fefc50c2135fa3269cd06402787699ea9fafaec4f838eb9dc8e278d36d98b59
-
C:\Users\Admin\Desktop\ExitUninstall.vstx.64E-E71-262MD5
c5b240687e1a16f773fc23d2f20394fd
SHA1e311951a60a06a7c7bbce72ef00021fc13da5dd1
SHA25689847cf8d9d534c82fcce632996582b0da01151d8e08de011b34e376a68e95d1
SHA5129d86f63a50ff61ebae4f035bea656f4a366460d239a6c101769c95ba7b0af969f8425aacc7d886373ef597d7af33dde3bd5344f930348e5772663bd33076bc6c
-
C:\Users\Admin\Desktop\GetUse.ADT.64E-E71-262MD5
b9735e1c41db7fc4cee370b175799120
SHA1e29a574eb564ac16e24e31ad4b0a6111f169ac29
SHA25674657b14b9e9454da1ff3fba1b9105451c7c4a4bf11a295891b8da42ccd657ec
SHA512aafaf52ed4925583c927f6e2744faa9861fb42f36f5623b0be2387b6f1d2d6047ecca5d20fee4ad593f566a41572959484694d78993a85c8a94c6ffb72df87b3
-
C:\Users\Admin\Desktop\InitializeExpand.cab.64E-E71-262MD5
232dd451d7bb016f1edb39118436d878
SHA167e1757aa0148121003d8e5f9e81afbdde13ce26
SHA25636a0765c8ab463209c8199ee4f868b9d3ad0b418d96c0d5fd58ec47a3eb851ab
SHA512848c174c4932413128591c358edad58496d7b64ed2a21b428c0d5881e7e3c6db63da1899f6c6c7651fdf12ad5a604838fdc7d40dcdfc4ded2dcdba4fd2b8bb3d
-
C:\Users\Admin\Desktop\NewInitialize.pot.64E-E71-262MD5
d61ec3730b589fb15526b1b8ecd3acbf
SHA121c1c0fc21b7dad8bef64d8fd27d125fb8aba2e8
SHA2563ae12125a03e294010d7258b79e782fca10b646ae1124d41c7b50279f0b6a787
SHA512576166b572e460d18713e4542ae8c82f80d33b6ffbe667719efe85695361d5292b6b4bf3696bbc0d9d210298076ead1de5031adaa3e34ca5206ded85ef77ee85
-
C:\Users\Admin\Desktop\OptimizeInitialize.dib.64E-E71-262MD5
1685d18fdecd13258fc74c80208cc401
SHA11db6bdcf324ddad5028c9a0c16316e5e4f8960ca
SHA256543bbe2903a13d7f9307fcc37c669c77ffc63c733f13458bc7a237f4b54e2a32
SHA512cf7ad83b921c62e13b19b57317fc823201f20b3eb988d786b74636912543491efab7c9287151b1a98f4ffd537d5d0ac391fa3a6c396f22dad3df7ef78cc3aaee
-
C:\Users\Admin\Desktop\PopRestore.bmp.64E-E71-262MD5
aaf46ca9d36c4e5a38cd4f0fa62f3060
SHA158e490581942467f6e0780515180ead280cbc30a
SHA2561e007a8750d3ae03db625c9fe72e928e5a962818a771858d53ec5ff201e66555
SHA51265efbcee7d7db79ebc750d4ce50c7ca005c9d8066b6e63054e01f5b2dcaf2fdc609e8b0e1df91c67c7b73e8ab0c45c9c4a3f9682414ef960be9a44ba22f1d3f7
-
C:\Users\Admin\Desktop\PopUnpublish.ico.64E-E71-262MD5
d2c36587866ae530e11e881f3392180f
SHA1207db17d4007856e90c2ffc0f652bbbf513a3b55
SHA256d8ea4c22e1b4abb7e5d7785092912f5951c1f5f0de058f6b10efa8db601d801b
SHA512c118019fb5b2a1eb44b9de5da236af2a97f57fd034d53d5dfe9f681278d0e02753ca2c0d50bbca87839f2a3fc0d1e66b059106d51a870bb13fca059a335bc008
-
C:\Users\Admin\Desktop\RegisterUnpublish.docm.64E-E71-262MD5
81bcad91569a00abd2edd2f47ff30d93
SHA114ba289fa20a3b1743001a191112deab1feb481b
SHA256bc3c88b2e39efaa1299a59a8b864937b906665da47fd8f160a91f9330facede3
SHA5129997d0d3d2b78ff1a4516f462933f288a4b7e0a43e09682ccd07fac40d4a1ca3df365a8bc3963116827ffe03f3d0bd1158a5039f2cf216d2156ef9e6954186be
-
C:\Users\Admin\Desktop\RequestPublish.ttf.64E-E71-262MD5
8b33e4e1eed24dd52e420009089e5071
SHA11d7c104795502aeac1aadc328bd0362fefe6d0ca
SHA256fdd3456196e0255abcf6a7d0bf3e01e343bae5128dc08696759ce19290bb8d82
SHA51293400736fe9f90d5affab46c1f80864a786700f5227011d1b19b2d9d69a8f4e5ff9aae142c31145b666861a873ba7c3b0156ed5bdbac09337496e260e845ded3
-
C:\Users\Admin\Desktop\ResizeCompare.raw.64E-E71-262MD5
114b6b7e73e0489acd80f1624437f491
SHA14e5838dbf21e67428a24fb8fb8397a932cbc7cd3
SHA256371fe48cc5b8dc9d27e6ea3303599b2e2fbe0deb988828930beb96b043353e72
SHA5122f867e3ce1a3e4a0d14ec70e7e84fb41f9828f382ec66602000c7cc7de95ff0d53fe402fd8fcbb38b94cb598715ac9c4200c2b78f710be1bb0413c871678cb06
-
C:\Users\Admin\Desktop\ResolveInvoke.ADTS.64E-E71-262MD5
42200621ecdc9ee4c573a3de42271dd6
SHA1b8d49f998c0e06516ee29aeacc2728d423038a7d
SHA2569fbfe95f10893a4beaaa65774e995d81bfc1d526b27275df5463934f769381fc
SHA5125a9e9fca2765ecab79330c9d4cdbd1173b3705c13b0f565eedf315db9e18dc50e815cc7d935ea37c01e43916657a1a5918a471b2d7dfaf4865a23e380c134347
-
C:\Users\Admin\Desktop\RevokeEnable.xsl.64E-E71-262MD5
b832570f0063c2941e4841c8d1565f73
SHA1c9c5f4cd0cdf736694b9e9b9c8dec65658abcd85
SHA25669bd4e94e22c16dfb4a4c4b83a1e5091bfe35957f0e04f2707212a56c9039c85
SHA51230213519aab3305096958c639025735b15aa319ae50f9328eed67359d16ca6dc953545e81fed29e61efd0febff63cc47403d9523747ca124c486314e3d22c6b7
-
C:\Users\Admin\Desktop\SendMount.raw.64E-E71-262MD5
e71ad1c841face82d471f65399aa69d6
SHA1842d8b161b8c95b79c22e04a38690943f9927b26
SHA256a33c4e4e1f3b225a896ea4d6b18adb8e820f64975e9e831cedf3b1f071ff880f
SHA512f85dca3734a1cc4b9daf18a9e56611ee7cfa16edc670784968a869a0c559a9110f58e98a7e246f1eb5a440af34f6b4083231383130380359edf78f2a2cb63ce3
-
C:\Users\Admin\Desktop\SubmitConnect.WTV.64E-E71-262MD5
27e6c18dfabf2067bd1d3c0b3eae6ad0
SHA1b86e666745eabc268922c666a527d33d36d86cd3
SHA256d92b041db398b9b4ba20a2916974f17c26ebf60abf818e2a14f00e5979877d50
SHA5129716a55b4c637a3fb39c2b75f8001d792f2e661ea9a2a0a2b72fe7cd12c75997842f67cca0977f13429e392eed9be1e1243060ffa353279b87fbaea8aa2362ae
-
C:\Users\Admin\Desktop\UnlockFind.png.64E-E71-262MD5
57cd516d3a0f4199803b4303d5d189d8
SHA1c3e5550d7654f78e2c8ff00a9fc325085de3a198
SHA256bfbd9058bc1bbb3ad3cd794e6a2764fb51c3c9a411dc244ea4050a183ca668c7
SHA5129766b9445c99e0c81ecaa9f3d091dd28042f58b2b133dada0fa23611b33402223e97493aadfa60decd613395c21678fdaa6c58dad3dbb5c0d9e1b57b3d801d04
-
C:\Users\Admin\Desktop\UpdateSubmit.raw.64E-E71-262MD5
37b5a3715a43c7049b46265cbafd3fc0
SHA15bd7d84a7ea30c4c64f29f7ecd35d33a3a078589
SHA256041c530bfd841d9d8daec451b6b2632a3e5ca9fbcbb4defd6c3daf0ea3a82ae4
SHA512c6055d853be25b58849e3e324d5340d756955efe52d55a82a58f4aa791d95f6839e8428eb6fdfe0ecfcf8627eff7e3f86c4cf9f1f5e80152a7ed45fca9c9ea27
-
C:\Users\Admin\Desktop\UpdateUninstall.mp3.64E-E71-262MD5
0e154f00933271ddfddb309421582bd8
SHA182b66d7b93dcbc9aaf64c81bb0035edc6ff73c5f
SHA256ff42f232dc8fa6637bcc365230da2e82da711f14b69e76f64aa74f8d5991d39e
SHA512e13e67c549b84afe2481745c34b555ddaf7014426493c42f8cfd658fe00bf09d40697213f3458118059682f37e13470498379cc870b2b41c2e157313fb2328b9
-
C:\Users\Admin\Desktop\WriteBlock.ini.64E-E71-262MD5
be5686bc65d605091e2c3ee49f9bd443
SHA12f219b30c2eeb3f10ed7846d1bea894208ddec61
SHA256d1b5a94a361450180f68808baf54f9d78ae0fa966ef92e80941259e2c60611ca
SHA5123a287d9e638a31f81b2017b9352630f7fbf882879cf97e6496d17999014ff14abcd6f454700c8baaae879f011a4eae3eefd81c25dca6003b0cf60c67cb7324fd
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
memory/564-16-0x0000000000000000-mapping.dmp
-
memory/672-42-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/672-43-0x0000000000000000-mapping.dmp
-
memory/1156-14-0x0000000000000000-mapping.dmp
-
memory/1224-7-0x0000000000000000-mapping.dmp
-
memory/1236-5-0x0000000000000000-mapping.dmp
-
memory/1376-6-0x0000000000000000-mapping.dmp
-
memory/1460-10-0x0000000000000000-mapping.dmp
-
memory/1524-13-0x0000000000000000-mapping.dmp
-
memory/1592-9-0x0000000000000000-mapping.dmp
-
memory/1608-8-0x0000000000000000-mapping.dmp
-
memory/1748-17-0x0000000000000000-mapping.dmp
-
memory/1796-3-0x0000000000000000-mapping.dmp
-
memory/2024-11-0x0000000000000000-mapping.dmp