Analysis
-
max time kernel
110s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-12-2020 13:49
Static task
static1
Behavioral task
behavioral1
Sample
imposter11.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
imposter11.exe
Resource
win10v20201028
General
-
Target
imposter11.exe
-
Size
446KB
-
MD5
567204cbb8d1c5908a5316f9dfdcb353
-
SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315
-
SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
-
SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
Malware Config
Extracted
C:\!!! HOW TO BACK YOUR FILES !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
taskeng.exetaskeng.exepid process 2684 taskeng.exe 504 taskeng.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskeng.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertFromBlock.tiff taskeng.exe File opened for modification C:\Users\Admin\Pictures\FormatPing.tiff taskeng.exe File opened for modification C:\Users\Admin\Pictures\RedoSwitch.tiff taskeng.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
imposter11.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run imposter11.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start" imposter11.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
taskeng.exedescription ioc process File opened (read-only) \??\N: taskeng.exe File opened (read-only) \??\L: taskeng.exe File opened (read-only) \??\H: taskeng.exe File opened (read-only) \??\Y: taskeng.exe File opened (read-only) \??\V: taskeng.exe File opened (read-only) \??\P: taskeng.exe File opened (read-only) \??\A: taskeng.exe File opened (read-only) \??\W: taskeng.exe File opened (read-only) \??\T: taskeng.exe File opened (read-only) \??\G: taskeng.exe File opened (read-only) \??\M: taskeng.exe File opened (read-only) \??\J: taskeng.exe File opened (read-only) \??\I: taskeng.exe File opened (read-only) \??\E: taskeng.exe File opened (read-only) \??\B: taskeng.exe File opened (read-only) \??\U: taskeng.exe File opened (read-only) \??\R: taskeng.exe File opened (read-only) \??\O: taskeng.exe File opened (read-only) \??\Q: taskeng.exe File opened (read-only) \??\K: taskeng.exe File opened (read-only) \??\F: taskeng.exe File opened (read-only) \??\Z: taskeng.exe File opened (read-only) \??\X: taskeng.exe File opened (read-only) \??\S: taskeng.exe -
Drops file in Program Files directory 25683 IoCs
Processes:
taskeng.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_24x24x32.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-400.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\release.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.sad.scale-200.png taskeng.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr.gif taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_20x20x32.png taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\skin_beeps.lua taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png taskeng.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-20.png taskeng.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-125.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dull_tauri.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\va_16x11.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js.8E5-AA3-C3C taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Icon.targetsize-16.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\11c.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tk_60x42.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server-15.jar taskeng.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jsse.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG.8E5-AA3-C3C taskeng.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\12s.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pl_60x42.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js.8E5-AA3-C3C taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg.8E5-AA3-C3C taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.8E5-AA3-C3C taskeng.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe -
Drops file in Windows directory 1 IoCs
Processes:
taskeng.exedescription ioc process File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4064 vssadmin.exe 3988 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3064 WMIC.exe Token: SeSecurityPrivilege 3064 WMIC.exe Token: SeTakeOwnershipPrivilege 3064 WMIC.exe Token: SeLoadDriverPrivilege 3064 WMIC.exe Token: SeSystemProfilePrivilege 3064 WMIC.exe Token: SeSystemtimePrivilege 3064 WMIC.exe Token: SeProfSingleProcessPrivilege 3064 WMIC.exe Token: SeIncBasePriorityPrivilege 3064 WMIC.exe Token: SeCreatePagefilePrivilege 3064 WMIC.exe Token: SeBackupPrivilege 3064 WMIC.exe Token: SeRestorePrivilege 3064 WMIC.exe Token: SeShutdownPrivilege 3064 WMIC.exe Token: SeDebugPrivilege 3064 WMIC.exe Token: SeSystemEnvironmentPrivilege 3064 WMIC.exe Token: SeRemoteShutdownPrivilege 3064 WMIC.exe Token: SeUndockPrivilege 3064 WMIC.exe Token: SeManageVolumePrivilege 3064 WMIC.exe Token: 33 3064 WMIC.exe Token: 34 3064 WMIC.exe Token: 35 3064 WMIC.exe Token: 36 3064 WMIC.exe Token: SeIncreaseQuotaPrivilege 2296 WMIC.exe Token: SeSecurityPrivilege 2296 WMIC.exe Token: SeTakeOwnershipPrivilege 2296 WMIC.exe Token: SeLoadDriverPrivilege 2296 WMIC.exe Token: SeSystemProfilePrivilege 2296 WMIC.exe Token: SeSystemtimePrivilege 2296 WMIC.exe Token: SeProfSingleProcessPrivilege 2296 WMIC.exe Token: SeIncBasePriorityPrivilege 2296 WMIC.exe Token: SeCreatePagefilePrivilege 2296 WMIC.exe Token: SeBackupPrivilege 2296 WMIC.exe Token: SeRestorePrivilege 2296 WMIC.exe Token: SeShutdownPrivilege 2296 WMIC.exe Token: SeDebugPrivilege 2296 WMIC.exe Token: SeSystemEnvironmentPrivilege 2296 WMIC.exe Token: SeRemoteShutdownPrivilege 2296 WMIC.exe Token: SeUndockPrivilege 2296 WMIC.exe Token: SeManageVolumePrivilege 2296 WMIC.exe Token: 33 2296 WMIC.exe Token: 34 2296 WMIC.exe Token: 35 2296 WMIC.exe Token: 36 2296 WMIC.exe Token: SeBackupPrivilege 2832 vssvc.exe Token: SeRestorePrivilege 2832 vssvc.exe Token: SeAuditPrivilege 2832 vssvc.exe Token: SeIncreaseQuotaPrivilege 3064 WMIC.exe Token: SeSecurityPrivilege 3064 WMIC.exe Token: SeTakeOwnershipPrivilege 3064 WMIC.exe Token: SeLoadDriverPrivilege 3064 WMIC.exe Token: SeSystemProfilePrivilege 3064 WMIC.exe Token: SeSystemtimePrivilege 3064 WMIC.exe Token: SeProfSingleProcessPrivilege 3064 WMIC.exe Token: SeIncBasePriorityPrivilege 3064 WMIC.exe Token: SeCreatePagefilePrivilege 3064 WMIC.exe Token: SeBackupPrivilege 3064 WMIC.exe Token: SeRestorePrivilege 3064 WMIC.exe Token: SeShutdownPrivilege 3064 WMIC.exe Token: SeDebugPrivilege 3064 WMIC.exe Token: SeSystemEnvironmentPrivilege 3064 WMIC.exe Token: SeRemoteShutdownPrivilege 3064 WMIC.exe Token: SeUndockPrivilege 3064 WMIC.exe Token: SeManageVolumePrivilege 3064 WMIC.exe Token: 33 3064 WMIC.exe Token: 34 3064 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
imposter11.exetaskeng.execmd.execmd.execmd.exedescription pid process target process PID 64 wrote to memory of 2684 64 imposter11.exe taskeng.exe PID 64 wrote to memory of 2684 64 imposter11.exe taskeng.exe PID 64 wrote to memory of 2684 64 imposter11.exe taskeng.exe PID 2684 wrote to memory of 1380 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1380 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1380 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 2968 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 2968 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 2968 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 3808 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 3808 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 3808 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1504 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1504 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1504 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1080 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1080 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 1080 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 488 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 488 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 488 2684 taskeng.exe cmd.exe PID 2684 wrote to memory of 504 2684 taskeng.exe taskeng.exe PID 2684 wrote to memory of 504 2684 taskeng.exe taskeng.exe PID 2684 wrote to memory of 504 2684 taskeng.exe taskeng.exe PID 1080 wrote to memory of 4064 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 4064 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 4064 1080 cmd.exe vssadmin.exe PID 1380 wrote to memory of 3064 1380 cmd.exe WMIC.exe PID 1380 wrote to memory of 3064 1380 cmd.exe WMIC.exe PID 1380 wrote to memory of 3064 1380 cmd.exe WMIC.exe PID 488 wrote to memory of 2296 488 cmd.exe WMIC.exe PID 488 wrote to memory of 2296 488 cmd.exe WMIC.exe PID 488 wrote to memory of 2296 488 cmd.exe WMIC.exe PID 488 wrote to memory of 3988 488 cmd.exe vssadmin.exe PID 488 wrote to memory of 3988 488 cmd.exe vssadmin.exe PID 488 wrote to memory of 3988 488 cmd.exe vssadmin.exe PID 2684 wrote to memory of 416 2684 taskeng.exe notepad.exe PID 2684 wrote to memory of 416 2684 taskeng.exe notepad.exe PID 2684 wrote to memory of 416 2684 taskeng.exe notepad.exe PID 2684 wrote to memory of 416 2684 taskeng.exe notepad.exe PID 2684 wrote to memory of 416 2684 taskeng.exe notepad.exe PID 2684 wrote to memory of 416 2684 taskeng.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\imposter11.exe"C:\Users\Admin\AppData\Local\Temp\imposter11.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
49f30697c634c40272e3aa13c370279f
SHA1bd543555d20162a2afcfb3a0f85cde37b7faf0db
SHA256c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3
SHA512ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
567204cbb8d1c5908a5316f9dfdcb353
SHA1cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA25654f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b
-
C:\Users\Admin\Desktop\AddPush.jtx.8E5-AA3-C3CMD5
efb55cc5779d6c74800131d31a3141c4
SHA14b4d2e3c8277944cecbcc2e0a859a9bd9cc3855a
SHA256c15aafb321838647e7289a3897746de8c085095ed0257a29f1022802138dab2d
SHA5127272dec7188848aadeafbb64ec0fd065818bc89ba7ef52b76d3dcf893dadec3446938110efa1f415de67b1c7ec890b7c7127f4378b44fe5c9f887c2348873ac7
-
C:\Users\Admin\Desktop\AddRestore.gif.8E5-AA3-C3CMD5
4574f774ea6aca8c2a9700c3741c3df2
SHA10cbff00761fd9d9c164463564ade153af6a6cd22
SHA2566bfc04cf644724f154f080e15b9a0ec10fce7d370c4b19dc0af869d561ff8dd9
SHA512e89399d2a609a2f9d2529e5211dc007cdd710c97549dfb8c34c87040c75d057ae72cc1ceee09daa975a10d277fb0d6fb591ac60f903bec59a5b18c8c832c064e
-
C:\Users\Admin\Desktop\AssertPop.mhtml.8E5-AA3-C3CMD5
8a2d50434b6872554d7efca9be4f84b4
SHA1a61868a82b878cf57fb1422eecec5ed65c752f00
SHA256f7e4bc1c3b29da40b3912ac7db563b54978d32e0517934158e98101bcca98e89
SHA512e5c237ac70ba0864cea3281c9a3595df80157ad79ac08c19d2d71e81f74b19a6be03f39ca85efa0bbf9ceb3a987f33b77d83ed9a8cb4fe33f4c94ea58b8432ba
-
C:\Users\Admin\Desktop\BackupStop.search-ms.8E5-AA3-C3CMD5
545081a939995162163ab7425793766b
SHA16b1b0e1f2c05fa4ef2f12f3b441776dd36fc4d93
SHA256d331cb4c2ea838a7fd6558f07ecefc569c48b78dd0480695b62cae4a36f2b790
SHA51262d9c553643180ff6cf9600eaa2c4e2758918fd67a82663b4f88df115f1c896cece0d2d0cd3165077b033ccc37c97468c007720e8c756d6f1fdcc2e4ceed1649
-
C:\Users\Admin\Desktop\BlockImport.inf.8E5-AA3-C3CMD5
18e620f7d74f53fe1b718c565c40b29b
SHA11c5d3a92c372ec5dad477ba9bb75b661470cdd4f
SHA25649ddb0827f4cd53c554cd9a0dc33b303054a983967d11d0abecb5b11c92ea3fc
SHA512f1dfce095d30f97d0b6fa23aa43fd7898e6aad8fdcc0ac9404c530b12e0c3725edb3c077ac040bf695cac2915986bdb968baad83895cf65bd0dea1f41e085fad
-
C:\Users\Admin\Desktop\CloseTest.asf.8E5-AA3-C3CMD5
9aebba647b6fe2ea449f79b6ce07f56e
SHA1b750496b6607dbccf15f7be2ab3915c95532eb8e
SHA2560e7427eea52bdd8b88cc6dd1fecf58ee078f4748686b93c0c98d3d9fee26d471
SHA512b074048932d4133be87a0148c5037980bae5cbb184ff397ce2876fe895bf21c81c49d253546590e04ccf906e25d1420f5ac0cc33de51f3fd5897411f232eeddc
-
C:\Users\Admin\Desktop\CompressSet.svg.8E5-AA3-C3CMD5
894eefd0834b2ae0cc22e46448965d39
SHA11db36c10d5d843cd04b1e464f32e76d815a863d5
SHA256ecf07f3c8b1c328a798356b0f3c6010a2153972a1bf92fa82eb39e7271f6934a
SHA512e30a72120f4b9a3a641b092abdaba8cb6113ca60b7897b20f1af367d44587b82599c8a0c6a1dc68ba6456e6a7c3c9250015d397096e51851638eb8da3d4c1949
-
C:\Users\Admin\Desktop\ConvertToSkip.xht.8E5-AA3-C3CMD5
ef20b13f5beb1b6c9591452203494362
SHA1c734d971e1b6dcb839ed4758dee8c8169e926886
SHA256a938a7239401b73b9dbccc3b7994ffe9e515fb60b43140baab2a75b846e4eb57
SHA512d72da5b4383b615a16d6c908a0387cd8aac74fdcc4130604529cd7c8d0e9dea21c60df29e51142a66cf33f873fc7ec44e094ed1c5b5e57e05b024c619000981a
-
C:\Users\Admin\Desktop\ConvertToUnpublish.ogg.8E5-AA3-C3CMD5
05d517f2b8e4e0ce0058fd550ba08be9
SHA120410b51b473fc999f5f346fac5464d287c97a9b
SHA256c81d5180ab4bb94e0c274e9817ce61cebd0f22b9862f8d3e249d515116a1578f
SHA512a89c00ed40f462d20b6d5e951b8d4720108ef16d9c6f9a5bab1eac609edefa8d422b1577546a1cb34f60efe6c3d13f553ee6a44c8b394664a37ca64e70b0b519
-
C:\Users\Admin\Desktop\DebugUse.midi.8E5-AA3-C3CMD5
fb6774565737cb629b935ae320f445ea
SHA1ad1f304cadd2538ccacc2b0f31c857d51d812591
SHA2565cbe9657b5ab4e155af9d827263ba1d34f23d4e41ef5e7044421c292ad01741d
SHA5121515897c611b9a7b293455c48bf42a7a93892fe7245c9d06e8aaba4e96d0a999e7c0be4d6f252a41dc49e2cdc718a0d164e11cffdab5514829173f28011286da
-
C:\Users\Admin\Desktop\ExitGet.mov.8E5-AA3-C3CMD5
037b8fdc57826fb110ce28d7bf867563
SHA170a6c6ee1ffefb9b5bbc2dd16251864dae4086f3
SHA25643b4e33f97d57e7a9d64e613582f1eb1113ec33019ae2e49ec7ae1561169fe31
SHA5122421449ed74eaa4ff2e3fcebb7d182d9e7fca3f3c68e4c9333d37eb12343a01339fdb6b9522115e7015aed742389e3017189c1d01f94d3c385e911b4852f292d
-
C:\Users\Admin\Desktop\ExportStart.m4a.8E5-AA3-C3CMD5
95d3e6f7ff2d37209bd336b2e09dd12e
SHA149096e2b9a0dd0bc07bcda8e9f0f8ab91bcdf72c
SHA2561dcaddd96507fbbfbf8df23ab08a2d3cf8354c3f769c973901fae65c250f732a
SHA512869d357a8defc5e41479659ecd48ef462b4f34c9a29d2b2f95eb20e3ec644b61d2ad22b3d6beb891b5180b37d654969b9aa29b6f665ec8585e661249f8325605
-
C:\Users\Admin\Desktop\GroupCopy.vst.8E5-AA3-C3CMD5
3a80062b08e475b1735d574ca6d7e362
SHA1adce9d9f97e0f15af3ea10e746e131ae4a0056b2
SHA256fd83a9bd58e26a375b73dec3e497457784d8ab80650e16864d226b3136f1d4c3
SHA5127a8f60f58a9814d7c30b385371a0be3140773c63c2b325c367b005c6e8d2db8e7f1c06c5b0381c5d3ec45c3c0dae3271aabeb73ea4b04367d4281d99fff9928c
-
C:\Users\Admin\Desktop\InstallConvertFrom.pot.8E5-AA3-C3CMD5
7bd1a8ca00989bd2bee5ebe1ffc70b0a
SHA1e975d08b6e60540d3e3778391a7b027162de4533
SHA256d79ea265d6ab64ada5c161680c12271b1191e53faf770823a20583fa2ef90d47
SHA512552dcab555e8ec24cbb5897e73ffa69a3a157f5f403338f86237fb229859b6e0230b739e05ede6fdbb7e15aeba12ee50622e0c72549f160155c855dd61902a4a
-
C:\Users\Admin\Desktop\PopLock.vsd.8E5-AA3-C3CMD5
1b6b27231b17a5e925bb97d51f8da140
SHA1433057c0654e57861023bd0ca10b21ec9c11e643
SHA2567b1d7aad9e1df3b67303292ea01441934dcc38a1313c6c9a984aedb8cae453b9
SHA51299f48776e3631a3698a03157783a1fd81fa7257726aac2bdee1379e87dabbb07d33d755808fbd0db353cf2ffccae03432a6f9b7179496e926f7ccc384fa88d22
-
C:\Users\Admin\Desktop\PublishUnpublish.DVR.8E5-AA3-C3CMD5
44fa2605f323200124665431d497a7d8
SHA1daa4fb5461aed76360b25f8219410285283f350e
SHA25624866f32c8f82dfa950d54ac4916cfb95cced204eb4a6353936b20e33737fec2
SHA5123bcc17ef726522238ab89cc8664091fed5353b30c4e88f198de7f2160243a1bf1d7bca6603d0ba07bf5e243055e156715a1d64b73d933d4322158c6d56a7bf6b
-
C:\Users\Admin\Desktop\RedoUnblock.xlsb.8E5-AA3-C3CMD5
cf840f62f9b5b23903eee09926915ac2
SHA140961700ac5c81d557a12bb9d846048e69a19ab8
SHA256e00f124fb0f2a9fcd61cd83769148fab4939db64c1f3ed598ec1a03d80ad540c
SHA512d9db634f9803d24e27b7057d2db414c7f39a57bf131f761c04448a88b46638383342cfd52f9f0b1b86cdd319c8568f5e6400f2eae5ce64d495c17ef1a93e4dc6
-
C:\Users\Admin\Desktop\RequestResume.vsdx.8E5-AA3-C3CMD5
564550e854094e4fb3cfebbefcffdb53
SHA19aa1a5bc645242a7f0abf7f0bb6c8f50cf5c94cc
SHA2567a6192f341e7b2b91b766146d7a957e7b2f5b2a1b27fdc403039d4d7960c026d
SHA5128f1d6a9170a348426649a76efb68cf51c3da62bc7a0966ac7a5147f029c14dbd8665087e41390273c9495ba3ea6fc761d17760d3dabb2e74f77342c266b4700d
-
C:\Users\Admin\Desktop\SetPing.xml.8E5-AA3-C3CMD5
5b8760e47f09dd08b1c834bf6bcd7170
SHA179273c06b548d1b1746c6ec1f9af4a72ec87c39c
SHA2569b6e7ec200d2972c2b732b87a3937ee90dc4622fbf9e559b22d1c012446c8b8a
SHA512a1ceabe00ba7f4f82ffc0c8b51eef26c1804fadc364d274c13a097f31e52e29c73f0912ae8b737daf7c85cfb3faeefdd72aedf49fcbd78d4c2280f991d1377ad
-
C:\Users\Admin\Desktop\SkipConvertFrom.avi.8E5-AA3-C3CMD5
0208cd3e7604e2b93b73b11322c924c4
SHA108428636808472b968e679c5c29bc6bf781fef3d
SHA256d9c1426e659f78911bc23a2f3b3ea66544df431196ebca085b07d5b66c4a66db
SHA5122770f441b40f9e409d786b524fb5282461bd886455c6817a75c17b765affe20d32006011eb83784bff03015d0f898524e0477c2841f36871f1f87bee34158fc1
-
C:\Users\Admin\Desktop\StartOut.mpg.8E5-AA3-C3CMD5
874c7fbc103683de83180e755a47de9a
SHA11885de5b9658eb30375a514753520a89fd25784f
SHA25628842bb8dfc92cff194dd8354caba1c9b8a488f20febc32b9069ab7f3e86b5a6
SHA512a2426ff6071c493d598f7ac18db2aada2c682bd7ebcb073865510db9ebad8eac44edf7c03c8f772f7b4da5a9620130b8bce46967c761d4364f76c297cf2763b6
-
C:\Users\Admin\Desktop\SuspendDismount.au3.8E5-AA3-C3CMD5
5f2a0b00a93523c020d026e3cfe121bd
SHA1cde6a4370c93bfc8c6031b01bc19d001777cbf07
SHA256d85cb784c58a099b23ed3fed163f3055a0b1a5ce16ff1815704818eeb2693e64
SHA51260d67c285cc724732ff4ea6b2f2a04017d1dbd8203a512ca89f37de48dae5851d2894f7110a035dcc939aeb46007401339ad0e2dfe23fd3ab17d50d03c0d0305
-
C:\Users\Admin\Desktop\SwitchReset.rtf.8E5-AA3-C3CMD5
a1b02c56ecce36d3e9c1c092148363a8
SHA179f8ac6312dab78b50c0db3aa184d9b54f12131e
SHA25614bd1cbea99749d06e15f5ac4862e501ae49ddb06701e4363ebf6eeceb0fea60
SHA512fc752f8e9d521d9ea000e042945c14093ca7581e3208140f410929c34298aaad17f7f5676b16da34fd58e217a06020147579da70f49838d9c0d1496d45ad9c4c
-
C:\Users\Admin\Desktop\SyncMerge.mpe.8E5-AA3-C3CMD5
c15af10d65c867e5f8cce9f8bb451c56
SHA1b4d1391ddbd1a5077c3087e230919653cfbca491
SHA25619dc1791b0aca6b2e03fc0d2fc41a7c09aba51c5ed69781eefc3106716337cd5
SHA5128b70d1507a213a5f37ca2788492ab367b4bb9fdedca0b2a2c20a87d2e5d71b91d5f0d5ec489f6298275f0108e67e20927fc26eaa80cda91bede90a1640af2e87
-
C:\Users\Admin\Desktop\UnblockTrace.aif.8E5-AA3-C3CMD5
3a2283770327bb6e189ba8683bad8df5
SHA1dc1692c61a8964e24adb9993f52407865c400089
SHA256d40fa0de0372b8320fce6d8043aba967b78b0471f39746579d53e052752f20ec
SHA51203949c08e80e4fe797f4568cf4c80048b82c01c2406bae854a5a65ab3181ac7463d387ff51b5e20d62bad8a5acdfb30ff003bd84ee731808cc7c58475c5867bd
-
C:\Users\Admin\Desktop\UnprotectPublish.ogg.8E5-AA3-C3CMD5
3b2a5281254178c4f9410ad1e6d8b0b8
SHA1215199df43fea9e9ffd3b9098b27900a70c7fde4
SHA25665ed9581b3c4af0f270324f36d4f87cd718460d116e63cbe0893cdaadeb2206e
SHA512b0bb4767bbe703eff866672ecae9dbc7834cefc61672d87687915551cc5556bfbe8425a9b04d02e1f54996b532d052a6666e1c99bcbadbac344ca047a22ee240
-
C:\Users\Admin\Desktop\WriteMove.3gp2.8E5-AA3-C3CMD5
3de33ad558596fab3768204ec9233704
SHA1066b24bbb50d57eac370ecf0472f21ba28171de7
SHA25647e2edb2d1d1ac65e665cc6a426d1aae9ccef39e89fa1540d5634199abda5d09
SHA51263e3fb936099df263ca2378f50e73573712ab44925e8718c3032325f707d63d08ee8072d93655b5a544565d1049b2d8fd5f2ec497e8897477eb1ae1e5cbb45f1
-
memory/416-46-0x0000000000000000-mapping.dmp
-
memory/416-45-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/488-10-0x0000000000000000-mapping.dmp
-
memory/504-11-0x0000000000000000-mapping.dmp
-
memory/1080-9-0x0000000000000000-mapping.dmp
-
memory/1380-5-0x0000000000000000-mapping.dmp
-
memory/1504-8-0x0000000000000000-mapping.dmp
-
memory/2296-16-0x0000000000000000-mapping.dmp
-
memory/2684-2-0x0000000000000000-mapping.dmp
-
memory/2968-6-0x0000000000000000-mapping.dmp
-
memory/3064-15-0x0000000000000000-mapping.dmp
-
memory/3808-7-0x0000000000000000-mapping.dmp
-
memory/3988-17-0x0000000000000000-mapping.dmp
-
memory/4064-14-0x0000000000000000-mapping.dmp