Analysis
-
max time kernel
145s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 14:41
Static task
static1
Behavioral task
behavioral1
Sample
Fat32Formatter.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Fat32Formatter.exe
Resource
win10v20201028
General
-
Target
Fat32Formatter.exe
-
Size
276KB
-
MD5
57bfa19c46f1b511836845dc3cf660f3
-
SHA1
a90e180b514f4cdd8a5db72b4d65c42c1fb1e389
-
SHA256
e85e974255245ba41d391acc207908eeddb5ec95285e5375496a89617c5fb843
-
SHA512
f3dce6d32e009000618c3f3dc0939e1bca21ad4bf3a1ae46a74fafcff54884d07be751dad610790db3e92c116a5878f76a8c7b5aaae892fef702ca912239d48a
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
agares_helpdesk@tutanota.com
agares@airmail.cc
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1864 wbadmin.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Fat32Formatter.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MountClose.tiff Fat32Formatter.exe File opened for modification C:\Users\Admin\Pictures\ResolveInstall.tiff Fat32Formatter.exe File opened for modification C:\Users\Admin\Pictures\StopCheckpoint.tiff Fat32Formatter.exe -
Loads dropped DLL 5 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exepid process 1636 Fat32Formatter.exe 1728 Fat32Formatter.exe 812 Fat32Formatter.exe 1144 Fat32Formatter.exe 1868 Fat32Formatter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Fat32Formatter.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Fat32Formatter.exe\"" Fat32Formatter.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 5 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exedescription pid process target process PID 1636 set thread context of 1412 1636 Fat32Formatter.exe Fat32Formatter.exe PID 1728 set thread context of 212 1728 Fat32Formatter.exe Fat32Formatter.exe PID 812 set thread context of 228 812 Fat32Formatter.exe Fat32Formatter.exe PID 1144 set thread context of 1020 1144 Fat32Formatter.exe Fat32Formatter.exe PID 1868 set thread context of 1780 1868 Fat32Formatter.exe Fat32Formatter.exe -
Drops file in Program Files directory 9659 IoCs
Processes:
Fat32Formatter.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SAFRI_01.MID Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png Fat32Formatter.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\readme-warning.txt Fat32Formatter.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv Fat32Formatter.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6 Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF Fat32Formatter.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\EXPLODE.WAV Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar Fat32Formatter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar Fat32Formatter.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152716.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan Fat32Formatter.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04225_.WMF Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00458_.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png Fat32Formatter.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21325_.GIF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01178_.WMF Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_hyperlink.gif Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png Fat32Formatter.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm Fat32Formatter.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1056 vssadmin.exe -
Processes:
Fat32Formatter.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Fat32Formatter.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Fat32Formatter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Fat32Formatter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Fat32Formatter.exepid process 1412 Fat32Formatter.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exepid process 1636 Fat32Formatter.exe 1728 Fat32Formatter.exe 812 Fat32Formatter.exe 1144 Fat32Formatter.exe 1868 Fat32Formatter.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 924 vssvc.exe Token: SeRestorePrivilege 924 vssvc.exe Token: SeAuditPrivilege 924 vssvc.exe Token: SeBackupPrivilege 1356 wbengine.exe Token: SeRestorePrivilege 1356 wbengine.exe Token: SeSecurityPrivilege 1356 wbengine.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.execmd.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exedescription pid process target process PID 1636 wrote to memory of 1412 1636 Fat32Formatter.exe Fat32Formatter.exe PID 1636 wrote to memory of 1412 1636 Fat32Formatter.exe Fat32Formatter.exe PID 1636 wrote to memory of 1412 1636 Fat32Formatter.exe Fat32Formatter.exe PID 1636 wrote to memory of 1412 1636 Fat32Formatter.exe Fat32Formatter.exe PID 1636 wrote to memory of 1412 1636 Fat32Formatter.exe Fat32Formatter.exe PID 1412 wrote to memory of 1664 1412 Fat32Formatter.exe cmd.exe PID 1412 wrote to memory of 1664 1412 Fat32Formatter.exe cmd.exe PID 1412 wrote to memory of 1664 1412 Fat32Formatter.exe cmd.exe PID 1412 wrote to memory of 1664 1412 Fat32Formatter.exe cmd.exe PID 1664 wrote to memory of 1056 1664 cmd.exe vssadmin.exe PID 1664 wrote to memory of 1056 1664 cmd.exe vssadmin.exe PID 1664 wrote to memory of 1056 1664 cmd.exe vssadmin.exe PID 1664 wrote to memory of 1864 1664 cmd.exe wbadmin.exe PID 1664 wrote to memory of 1864 1664 cmd.exe wbadmin.exe PID 1664 wrote to memory of 1864 1664 cmd.exe wbadmin.exe PID 1664 wrote to memory of 1620 1664 cmd.exe WMIC.exe PID 1664 wrote to memory of 1620 1664 cmd.exe WMIC.exe PID 1664 wrote to memory of 1620 1664 cmd.exe WMIC.exe PID 1728 wrote to memory of 212 1728 Fat32Formatter.exe Fat32Formatter.exe PID 1728 wrote to memory of 212 1728 Fat32Formatter.exe Fat32Formatter.exe PID 1728 wrote to memory of 212 1728 Fat32Formatter.exe Fat32Formatter.exe PID 1728 wrote to memory of 212 1728 Fat32Formatter.exe Fat32Formatter.exe PID 1728 wrote to memory of 212 1728 Fat32Formatter.exe Fat32Formatter.exe PID 812 wrote to memory of 228 812 Fat32Formatter.exe Fat32Formatter.exe PID 812 wrote to memory of 228 812 Fat32Formatter.exe Fat32Formatter.exe PID 812 wrote to memory of 228 812 Fat32Formatter.exe Fat32Formatter.exe PID 812 wrote to memory of 228 812 Fat32Formatter.exe Fat32Formatter.exe PID 812 wrote to memory of 228 812 Fat32Formatter.exe Fat32Formatter.exe PID 1144 wrote to memory of 1020 1144 Fat32Formatter.exe Fat32Formatter.exe PID 1144 wrote to memory of 1020 1144 Fat32Formatter.exe Fat32Formatter.exe PID 1144 wrote to memory of 1020 1144 Fat32Formatter.exe Fat32Formatter.exe PID 1144 wrote to memory of 1020 1144 Fat32Formatter.exe Fat32Formatter.exe PID 1144 wrote to memory of 1020 1144 Fat32Formatter.exe Fat32Formatter.exe PID 1868 wrote to memory of 1780 1868 Fat32Formatter.exe Fat32Formatter.exe PID 1868 wrote to memory of 1780 1868 Fat32Formatter.exe Fat32Formatter.exe PID 1868 wrote to memory of 1780 1868 Fat32Formatter.exe Fat32Formatter.exe PID 1868 wrote to memory of 1780 1868 Fat32Formatter.exe Fat32Formatter.exe PID 1868 wrote to memory of 1780 1868 Fat32Formatter.exe Fat32Formatter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14124⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14124⤵
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14124⤵
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n14124⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\383576795MD5
66b375164f57712c80d05da2e514ee47
SHA1565ee056235964cfa84ff08f6f0b7aeac9407a94
SHA2564fede40c5b690413a9e6ac4a4125930a23a987604f7a703755a2ba38d429bff3
SHA512b20d29eaf1af3473b2cd820938bfece1f2f61be2f72ca518cbe537fe0615d083c6e184750db9c70d053ea6f7528d5d4df014c7802836ce7e03eb7ac067986868
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bb142cd23c450d199e7932c0d1c4825d
SHA172302e59c731e98ea1482a7bddce5fd32c2fc55a
SHA2564dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2
SHA512925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f
-
C:\Users\Admin\AppData\Roaming\383576795MD5
50ac4bfa70127e554a2e8a4d3e6618d5
SHA1b3419bfcd8eee7cf25f5b210608a4a28a6ced56d
SHA25655a9ba94c74a68976c9abade2532a92108b64711f8becdaba1f947015622d63f
SHA512010da422d64feef14a911e855aee5fac9cffb9ca4b939558e9c82d85d98a95995afdc91cee8974bf031cd07bad12d9e0b159195d6e3cc23e0575e0a2e5cf88b9
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bb142cd23c450d199e7932c0d1c4825d
SHA172302e59c731e98ea1482a7bddce5fd32c2fc55a
SHA2564dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2
SHA512925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f
-
C:\Users\Admin\AppData\Roaming\383576795MD5
c33b28c068ddc979854069ff70a00d99
SHA1aace5f97df6a2948e704b65781eab2a3f0ddba84
SHA2560a979cae49018bfdc7a4a6dc25f55e8d201f45708b3239c891605df3dd5cc180
SHA5123d30776c6b744520452afc4d8722b605ee406e8cd6c7d79f1a3aac8dfa37abe177bb4bde456f2b1d153e266e62aef4aeec1e42bd2e33e57e287fa7e1d0019e94
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bb142cd23c450d199e7932c0d1c4825d
SHA172302e59c731e98ea1482a7bddce5fd32c2fc55a
SHA2564dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2
SHA512925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f
-
C:\Users\Admin\AppData\Roaming\383576795MD5
f389e8dccce195aff7445063eb4ff60d
SHA1e57fe424078785c90d10cc906fe1f1d8f87485ed
SHA256d1b1f51a7509d68d484b1049e59f52c64f09c7e291036fdcc077fe72357ea7f2
SHA512d4982e294fb9b5a956787f5b2298dfebd866f575cd3aea234592456e1dede4ac04c04493a650e1c153c875a1a81d90a9ab2e6f42919bd1f25b554a3a058d88d5
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nsc15B3.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsi2D39.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsn188.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsy206D.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsyA729.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/212-15-0x0000000000405A20-mapping.dmp
-
memory/228-23-0x0000000000405A20-mapping.dmp
-
memory/236-19-0x000007FEF77E0000-0x000007FEF7A5A000-memory.dmpFilesize
2.5MB
-
memory/1020-30-0x0000000000405A20-mapping.dmp
-
memory/1056-8-0x0000000000000000-mapping.dmp
-
memory/1412-9-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1412-4-0x0000000000405A20-mapping.dmp
-
memory/1620-14-0x0000000000000000-mapping.dmp
-
memory/1636-2-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1664-6-0x0000000000000000-mapping.dmp
-
memory/1780-38-0x0000000000405A20-mapping.dmp
-
memory/1864-13-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmpFilesize
8KB
-
memory/1864-12-0x0000000000000000-mapping.dmp