Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-12-2020 13:17
Static task
static1
Behavioral task
behavioral1
Sample
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Resource
win10v20201028
General
-
Target
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
-
Size
117KB
-
MD5
f64ecdec4c84ac7ef0ca6c2ef4d94eea
-
SHA1
7c88af3c8a27402da1d67cfaa1a02555f1c7945d
-
SHA256
fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6
-
SHA512
87b8a1c6098a67a6a7f61e154deba8c16a5b421e5157183b40f808c23187ec46e046d7f4ac006d375fcf66000da7da588c9105f9acba5471604255d15c1ac8f7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq1010@tutanota.com
akzhq1010@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1052 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BackupInvoke.tiff f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Users\Admin\Pictures\RemoveStop.tiff f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Loads dropped DLL 3 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exepid process 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe\"" f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription pid process target process PID 1668 set thread context of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 set thread context of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 set thread context of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jre7\release f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALNDR98.POC f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151047.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00736_.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07761_.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLL f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\ConvertToUnpublish.snd f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21370_.GIF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185670.WMF f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 324 vssadmin.exe -
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exepid process 1224 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exepid process 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 784 vssvc.exe Token: SeRestorePrivilege 784 vssvc.exe Token: SeAuditPrivilege 784 vssvc.exe Token: SeBackupPrivilege 560 wbengine.exe Token: SeRestorePrivilege 560 wbengine.exe Token: SeSecurityPrivilege 560 wbengine.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.execmd.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription pid process target process PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1668 wrote to memory of 1224 1668 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1224 wrote to memory of 1652 1224 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe cmd.exe PID 1224 wrote to memory of 1652 1224 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe cmd.exe PID 1224 wrote to memory of 1652 1224 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe cmd.exe PID 1224 wrote to memory of 1652 1224 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe cmd.exe PID 1652 wrote to memory of 324 1652 cmd.exe vssadmin.exe PID 1652 wrote to memory of 324 1652 cmd.exe vssadmin.exe PID 1652 wrote to memory of 324 1652 cmd.exe vssadmin.exe PID 1652 wrote to memory of 1052 1652 cmd.exe wbadmin.exe PID 1652 wrote to memory of 1052 1652 cmd.exe wbadmin.exe PID 1652 wrote to memory of 1052 1652 cmd.exe wbadmin.exe PID 1652 wrote to memory of 1616 1652 cmd.exe WMIC.exe PID 1652 wrote to memory of 1616 1652 cmd.exe WMIC.exe PID 1652 wrote to memory of 1616 1652 cmd.exe WMIC.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1588 wrote to memory of 1088 1588 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 556 wrote to memory of 1168 556 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n12243⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n12244⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n12243⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n12244⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\972313772MD5
0dae339e0503a35eaa156e084f82d0a2
SHA1276b97b0bdafb3d64a8ebb48eb137b3da621ec6b
SHA256b88aeddacafbf19a7ae81b720b7911fd788f3ebc03e9b90782077caadaca2720
SHA5128ec78d45f591e89ef0be9e05d5a9af7c4ffc25f6cde8c4b79bb1bb888b6d52fa499c4f52f0963a82e3b7b3ea0fcec997c6a0d488234a276b65779de63fac1555
-
C:\Users\Admin\AppData\Roaming\972313772MD5
18668c3a11b0458f86330e6063869484
SHA1701d1f5075dc9b124811c972a6e5d566988394be
SHA256a00de16ae3484951fb5cf4ee7f1893f950b9c91e559edd70d0f627235d4d8a12
SHA512d5ae285abc59758ec0bbb080aa796f32b0ffe59ee948355b54f45ecb5dc96080bc40e0cdd0095cad05903b53d6ec56dd4ac089ddc14f942632421c3363dcb92c
-
\Users\Admin\AppData\Local\Temp\nsi627B.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsn7CEE.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsx5B5A.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/324-7-0x0000000000000000-mapping.dmp
-
memory/1052-10-0x0000000000000000-mapping.dmp
-
memory/1088-13-0x00000000004059A0-mapping.dmp
-
memory/1168-20-0x00000000004059A0-mapping.dmp
-
memory/1224-5-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1224-4-0x00000000004059A0-mapping.dmp
-
memory/1224-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1616-11-0x0000000000000000-mapping.dmp
-
memory/1636-17-0x000007FEF5B70000-0x000007FEF5DEA000-memory.dmpFilesize
2.5MB
-
memory/1652-6-0x0000000000000000-mapping.dmp