Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 12:11
Static task
static1
Behavioral task
behavioral1
Sample
X[1].bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
X[1].bin.exe
Resource
win10v20201028
General
-
Target
X[1].bin.exe
-
Size
901KB
-
MD5
762d680bba4270694d5487e7d4f0a014
-
SHA1
97e37c21b1ec5b0332e8cb09ed0535b7c6516bdf
-
SHA256
c5ec4ced753e67fba6b0b4a720f5bb6611fbbaa6f74e9369193735d42258a0c0
-
SHA512
6628da111ce1a5bc1a4e85fb3c250b9e28bee432643c3c3b238dcca28c45e536e938e4f653293e47240908722e49dcda4aa37fcc6259b4661b0c85537ee9a76a
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
Yamer2@protonmail.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1520 created 1268 1520 svchost.exe X[1].bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1360 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
X[1].bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\X[1].bin.exe\"" X[1].bin.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
X[1].bin.exeX[1].bin.exedescription pid process target process PID 3884 set thread context of 1268 3884 X[1].bin.exe X[1].bin.exe PID 2400 set thread context of 2412 2400 X[1].bin.exe X[1].bin.exe -
Drops file in Program Files directory 17731 IoCs
Processes:
X[1].bin.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js X[1].bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_home.targetsize-48.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\Colored_PS.fxo X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1251_40x40x32.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-125.png X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.INF X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\sttionry.jpg X[1].bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT X[1].bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_24x24x32.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cn_60x42.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6528_48x48x32.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-100.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-100.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png X[1].bin.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\grmarble.jpg X[1].bin.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Test-Assertion.ps1 X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-down_32.svg X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\et_60x42.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fm_16x11.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-100.png X[1].bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiBold.ttf X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX X[1].bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\ui-strings.js X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\MusicStoreLogo.scale-200.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-80.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-100.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-125.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\SQLiteWrapper.winmd X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ui-strings.js X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK X[1].bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\readme-warning.txt X[1].bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6124_20x20x32.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses-hover.svg X[1].bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-64_altform-unplated.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\nod.png X[1].bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\WideLogo.scale-100.png X[1].bin.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4060 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
X[1].bin.exeX[1].bin.exepid process 3884 X[1].bin.exe 3884 X[1].bin.exe 1268 X[1].bin.exe 1268 X[1].bin.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
X[1].bin.exesvchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3884 X[1].bin.exe Token: SeTcbPrivilege 1520 svchost.exe Token: SeTcbPrivilege 1520 svchost.exe Token: SeBackupPrivilege 2140 vssvc.exe Token: SeRestorePrivilege 2140 vssvc.exe Token: SeAuditPrivilege 2140 vssvc.exe Token: SeBackupPrivilege 2676 wbengine.exe Token: SeRestorePrivilege 2676 wbengine.exe Token: SeSecurityPrivilege 2676 wbengine.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeSecurityPrivilege 1600 WMIC.exe Token: SeTakeOwnershipPrivilege 1600 WMIC.exe Token: SeLoadDriverPrivilege 1600 WMIC.exe Token: SeSystemProfilePrivilege 1600 WMIC.exe Token: SeSystemtimePrivilege 1600 WMIC.exe Token: SeProfSingleProcessPrivilege 1600 WMIC.exe Token: SeIncBasePriorityPrivilege 1600 WMIC.exe Token: SeCreatePagefilePrivilege 1600 WMIC.exe Token: SeBackupPrivilege 1600 WMIC.exe Token: SeRestorePrivilege 1600 WMIC.exe Token: SeShutdownPrivilege 1600 WMIC.exe Token: SeDebugPrivilege 1600 WMIC.exe Token: SeSystemEnvironmentPrivilege 1600 WMIC.exe Token: SeRemoteShutdownPrivilege 1600 WMIC.exe Token: SeUndockPrivilege 1600 WMIC.exe Token: SeManageVolumePrivilege 1600 WMIC.exe Token: 33 1600 WMIC.exe Token: 34 1600 WMIC.exe Token: 35 1600 WMIC.exe Token: 36 1600 WMIC.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeSecurityPrivilege 1600 WMIC.exe Token: SeTakeOwnershipPrivilege 1600 WMIC.exe Token: SeLoadDriverPrivilege 1600 WMIC.exe Token: SeSystemProfilePrivilege 1600 WMIC.exe Token: SeSystemtimePrivilege 1600 WMIC.exe Token: SeProfSingleProcessPrivilege 1600 WMIC.exe Token: SeIncBasePriorityPrivilege 1600 WMIC.exe Token: SeCreatePagefilePrivilege 1600 WMIC.exe Token: SeBackupPrivilege 1600 WMIC.exe Token: SeRestorePrivilege 1600 WMIC.exe Token: SeShutdownPrivilege 1600 WMIC.exe Token: SeDebugPrivilege 1600 WMIC.exe Token: SeSystemEnvironmentPrivilege 1600 WMIC.exe Token: SeRemoteShutdownPrivilege 1600 WMIC.exe Token: SeUndockPrivilege 1600 WMIC.exe Token: SeManageVolumePrivilege 1600 WMIC.exe Token: 33 1600 WMIC.exe Token: 34 1600 WMIC.exe Token: 35 1600 WMIC.exe Token: 36 1600 WMIC.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
X[1].bin.exesvchost.exeX[1].bin.execmd.exeX[1].bin.exedescription pid process target process PID 3884 wrote to memory of 2736 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 2736 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 2736 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 3884 wrote to memory of 1268 3884 X[1].bin.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1520 wrote to memory of 2400 1520 svchost.exe X[1].bin.exe PID 1268 wrote to memory of 3960 1268 X[1].bin.exe cmd.exe PID 1268 wrote to memory of 3960 1268 X[1].bin.exe cmd.exe PID 3960 wrote to memory of 4060 3960 cmd.exe vssadmin.exe PID 3960 wrote to memory of 4060 3960 cmd.exe vssadmin.exe PID 3960 wrote to memory of 1360 3960 cmd.exe wbadmin.exe PID 3960 wrote to memory of 1360 3960 cmd.exe wbadmin.exe PID 3960 wrote to memory of 1600 3960 cmd.exe WMIC.exe PID 3960 wrote to memory of 1600 3960 cmd.exe WMIC.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe PID 2400 wrote to memory of 2412 2400 X[1].bin.exe X[1].bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe" n12683⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"{path}"4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X[1].bin.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
memory/1268-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1268-14-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1268-13-0x0000000000405790-mapping.dmp
-
memory/1360-26-0x0000000000000000-mapping.dmp
-
memory/1600-28-0x0000000000000000-mapping.dmp
-
memory/2400-18-0x0000000073AC0000-0x00000000741AE000-memory.dmpFilesize
6.9MB
-
memory/2400-15-0x0000000000000000-mapping.dmp
-
memory/2400-27-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/2412-32-0x0000000000405790-mapping.dmp
-
memory/3884-6-0x0000000007A20000-0x0000000007A21000-memory.dmpFilesize
4KB
-
memory/3884-7-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/3884-8-0x0000000007B80000-0x0000000007B81000-memory.dmpFilesize
4KB
-
memory/3884-10-0x0000000009E60000-0x0000000009EBC000-memory.dmpFilesize
368KB
-
memory/3884-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3884-5-0x0000000007E80000-0x0000000007E81000-memory.dmpFilesize
4KB
-
memory/3884-9-0x0000000007BF0000-0x0000000007BFE000-memory.dmpFilesize
56KB
-
memory/3884-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/3884-11-0x0000000009F60000-0x0000000009F61000-memory.dmpFilesize
4KB
-
memory/3960-16-0x0000000000000000-mapping.dmp
-
memory/4060-21-0x0000000000000000-mapping.dmp