Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-01-2021 14:41
Static task
static1
Behavioral task
behavioral1
Sample
Fat32Formatter.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Fat32Formatter.exe
Resource
win10v20201028
General
-
Target
Fat32Formatter.exe
-
Size
276KB
-
MD5
57bfa19c46f1b511836845dc3cf660f3
-
SHA1
a90e180b514f4cdd8a5db72b4d65c42c1fb1e389
-
SHA256
e85e974255245ba41d391acc207908eeddb5ec95285e5375496a89617c5fb843
-
SHA512
f3dce6d32e009000618c3f3dc0939e1bca21ad4bf3a1ae46a74fafcff54884d07be751dad610790db3e92c116a5878f76a8c7b5aaae892fef702ca912239d48a
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
agares_helpdesk@tutanota.com
agares@airmail.cc
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 3904 created 4196 3904 svchost.exe Fat32Formatter.exe PID 3904 created 4196 3904 svchost.exe Fat32Formatter.exe PID 3904 created 4196 3904 svchost.exe Fat32Formatter.exe PID 3904 created 4196 3904 svchost.exe Fat32Formatter.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1424 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Fat32Formatter.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterApprove.tiff Fat32Formatter.exe -
Loads dropped DLL 5 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exepid process 4764 Fat32Formatter.exe 4352 Fat32Formatter.exe 4740 Fat32Formatter.exe 1016 Fat32Formatter.exe 4684 Fat32Formatter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Fat32Formatter.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Fat32Formatter.exe\"" Fat32Formatter.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 5 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exedescription pid process target process PID 4764 set thread context of 4196 4764 Fat32Formatter.exe Fat32Formatter.exe PID 4352 set thread context of 2848 4352 Fat32Formatter.exe Fat32Formatter.exe PID 4740 set thread context of 212 4740 Fat32Formatter.exe Fat32Formatter.exe PID 1016 set thread context of 4756 1016 Fat32Formatter.exe Fat32Formatter.exe PID 4684 set thread context of 4416 4684 Fat32Formatter.exe Fat32Formatter.exe -
Drops file in Program Files directory 17732 IoCs
Processes:
Fat32Formatter.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js Fat32Formatter.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\MedTile.scale-125.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-200.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\surprised.png Fat32Formatter.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\envy.png Fat32Formatter.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxManifest.xml Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.js Fat32Formatter.exe File created C:\Program Files\Java\jre1.8.0_66\bin\server\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cu_16x11.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\ui-strings.js Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\13s.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\604_40x40x32.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Blizzard-of_Bliss_Unearned_small.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_RU-RU.respack Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT Fat32Formatter.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5478_40x40x32.png Fat32Formatter.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_20x20x32.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsBadgeLogo.scale-100.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-125_contrast-black.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\round.mtl Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-30.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\plugin.js Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pf_60x42.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\tumbleweed.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\fb_blank_profile_portrait.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossContour.scale-140.png Fat32Formatter.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-100.png Fat32Formatter.exe File opened for modification C:\Program Files\LimitCompress.sql Fat32Formatter.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms Fat32Formatter.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 860 vssadmin.exe -
Processes:
Fat32Formatter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Fat32Formatter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Fat32Formatter.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Fat32Formatter.exepid process 4196 Fat32Formatter.exe 4196 Fat32Formatter.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exepid process 4764 Fat32Formatter.exe 4352 Fat32Formatter.exe 4740 Fat32Formatter.exe 1016 Fat32Formatter.exe 4684 Fat32Formatter.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 3904 svchost.exe Token: SeTcbPrivilege 3904 svchost.exe Token: SeBackupPrivilege 492 vssvc.exe Token: SeRestorePrivilege 492 vssvc.exe Token: SeAuditPrivilege 492 vssvc.exe Token: SeBackupPrivilege 1588 wbengine.exe Token: SeRestorePrivilege 1588 wbengine.exe Token: SeSecurityPrivilege 1588 wbengine.exe Token: SeIncreaseQuotaPrivilege 2384 WMIC.exe Token: SeSecurityPrivilege 2384 WMIC.exe Token: SeTakeOwnershipPrivilege 2384 WMIC.exe Token: SeLoadDriverPrivilege 2384 WMIC.exe Token: SeSystemProfilePrivilege 2384 WMIC.exe Token: SeSystemtimePrivilege 2384 WMIC.exe Token: SeProfSingleProcessPrivilege 2384 WMIC.exe Token: SeIncBasePriorityPrivilege 2384 WMIC.exe Token: SeCreatePagefilePrivilege 2384 WMIC.exe Token: SeBackupPrivilege 2384 WMIC.exe Token: SeRestorePrivilege 2384 WMIC.exe Token: SeShutdownPrivilege 2384 WMIC.exe Token: SeDebugPrivilege 2384 WMIC.exe Token: SeSystemEnvironmentPrivilege 2384 WMIC.exe Token: SeRemoteShutdownPrivilege 2384 WMIC.exe Token: SeUndockPrivilege 2384 WMIC.exe Token: SeManageVolumePrivilege 2384 WMIC.exe Token: 33 2384 WMIC.exe Token: 34 2384 WMIC.exe Token: 35 2384 WMIC.exe Token: 36 2384 WMIC.exe Token: SeIncreaseQuotaPrivilege 2384 WMIC.exe Token: SeSecurityPrivilege 2384 WMIC.exe Token: SeTakeOwnershipPrivilege 2384 WMIC.exe Token: SeLoadDriverPrivilege 2384 WMIC.exe Token: SeSystemProfilePrivilege 2384 WMIC.exe Token: SeSystemtimePrivilege 2384 WMIC.exe Token: SeProfSingleProcessPrivilege 2384 WMIC.exe Token: SeIncBasePriorityPrivilege 2384 WMIC.exe Token: SeCreatePagefilePrivilege 2384 WMIC.exe Token: SeBackupPrivilege 2384 WMIC.exe Token: SeRestorePrivilege 2384 WMIC.exe Token: SeShutdownPrivilege 2384 WMIC.exe Token: SeDebugPrivilege 2384 WMIC.exe Token: SeSystemEnvironmentPrivilege 2384 WMIC.exe Token: SeRemoteShutdownPrivilege 2384 WMIC.exe Token: SeUndockPrivilege 2384 WMIC.exe Token: SeManageVolumePrivilege 2384 WMIC.exe Token: 33 2384 WMIC.exe Token: 34 2384 WMIC.exe Token: 35 2384 WMIC.exe Token: 36 2384 WMIC.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
Fat32Formatter.exesvchost.exeFat32Formatter.execmd.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exeFat32Formatter.exedescription pid process target process PID 4764 wrote to memory of 4196 4764 Fat32Formatter.exe Fat32Formatter.exe PID 4764 wrote to memory of 4196 4764 Fat32Formatter.exe Fat32Formatter.exe PID 4764 wrote to memory of 4196 4764 Fat32Formatter.exe Fat32Formatter.exe PID 4764 wrote to memory of 4196 4764 Fat32Formatter.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4352 3904 svchost.exe Fat32Formatter.exe PID 4196 wrote to memory of 560 4196 Fat32Formatter.exe cmd.exe PID 4196 wrote to memory of 560 4196 Fat32Formatter.exe cmd.exe PID 560 wrote to memory of 860 560 cmd.exe vssadmin.exe PID 560 wrote to memory of 860 560 cmd.exe vssadmin.exe PID 560 wrote to memory of 1424 560 cmd.exe wbadmin.exe PID 560 wrote to memory of 1424 560 cmd.exe wbadmin.exe PID 560 wrote to memory of 2384 560 cmd.exe WMIC.exe PID 560 wrote to memory of 2384 560 cmd.exe WMIC.exe PID 4352 wrote to memory of 2848 4352 Fat32Formatter.exe Fat32Formatter.exe PID 4352 wrote to memory of 2848 4352 Fat32Formatter.exe Fat32Formatter.exe PID 4352 wrote to memory of 2848 4352 Fat32Formatter.exe Fat32Formatter.exe PID 4352 wrote to memory of 2848 4352 Fat32Formatter.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4740 3904 svchost.exe Fat32Formatter.exe PID 4740 wrote to memory of 212 4740 Fat32Formatter.exe Fat32Formatter.exe PID 4740 wrote to memory of 212 4740 Fat32Formatter.exe Fat32Formatter.exe PID 4740 wrote to memory of 212 4740 Fat32Formatter.exe Fat32Formatter.exe PID 4740 wrote to memory of 212 4740 Fat32Formatter.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 1016 3904 svchost.exe Fat32Formatter.exe PID 1016 wrote to memory of 4756 1016 Fat32Formatter.exe Fat32Formatter.exe PID 1016 wrote to memory of 4756 1016 Fat32Formatter.exe Fat32Formatter.exe PID 1016 wrote to memory of 4756 1016 Fat32Formatter.exe Fat32Formatter.exe PID 1016 wrote to memory of 4756 1016 Fat32Formatter.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 3904 wrote to memory of 4684 3904 svchost.exe Fat32Formatter.exe PID 4684 wrote to memory of 4416 4684 Fat32Formatter.exe Fat32Formatter.exe PID 4684 wrote to memory of 4416 4684 Fat32Formatter.exe Fat32Formatter.exe PID 4684 wrote to memory of 4416 4684 Fat32Formatter.exe Fat32Formatter.exe PID 4684 wrote to memory of 4416 4684 Fat32Formatter.exe Fat32Formatter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41963⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41964⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41963⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41964⤵
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41963⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41964⤵
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41963⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n41964⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\383576795MD5
756cfe82165ec855a64091981d5f5bb5
SHA1abd6176b182350b4a1e94e48f61a46a504e83960
SHA25646ee26397eacdbef7464c7d0ddb364450ab948eb4f556723221cb369d7ab98dd
SHA512b3ec9f6420526b5170148ebb33f8c8939e69f0471f6d0bb7a00812ade4c4e1400e5d3fec43737de16547d77e06dbefb691230213b9ef34cb24f8566916a4a667
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bb142cd23c450d199e7932c0d1c4825d
SHA172302e59c731e98ea1482a7bddce5fd32c2fc55a
SHA2564dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2
SHA512925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bf07742f4cf31d3afb25e9298c11fedf
SHA119a2478529d62768c64c2f12d378068e414b2c66
SHA2565159acf3395114999ebc337e6e9662c15e1303d6153924e863b4e010622e0c39
SHA51267d2b43df89b4d520802608e4f369586bd7759290206414f025ef8a485b451cfccf88c76b03bafeb5ba0e93b95178f8df0a45d26e070e94eb72031f5834acfdf
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bb142cd23c450d199e7932c0d1c4825d
SHA172302e59c731e98ea1482a7bddce5fd32c2fc55a
SHA2564dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2
SHA512925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f
-
C:\Users\Admin\AppData\Roaming\383576795MD5
d54dd89f7d467b258f9f0e4887a3a22b
SHA1f315fd4556ce4c07255b432663cfb7713f509142
SHA2560a7830641decd23e56a443ed118b0da31d4588fc204ec7c276eff5ca667f688b
SHA512c78d22dd61f9ba6cf13ecc6970982820f36410079177d4d5e1cbfd50d8bb78b84cf564e7c3cd0683024ec88707406d4afebdc33b8c7b4dcd69b6f7ea33d379c2
-
C:\Users\Admin\AppData\Roaming\383576795MD5
bb142cd23c450d199e7932c0d1c4825d
SHA172302e59c731e98ea1482a7bddce5fd32c2fc55a
SHA2564dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2
SHA512925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f
-
C:\Users\Admin\AppData\Roaming\383576795MD5
67275830e475eb36218882623bb8cc5b
SHA18a178dd1b685d5ae90da7c8468b8aa1255a81bcd
SHA256064f5261c960a43271aecf05f648e4e2941711eba4c0f792675e2244c31d6ad5
SHA5122dd961317761733b39ed48a4dbaea4171157975133068312e18544914e73e2ad5a89ce27551cb2165023996746f2233c5202e2ab89028a79afc8e1745a34c6df
-
\Users\Admin\AppData\Local\Temp\nshE14A.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsi742D.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nss6469.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsv5D40.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsv6086.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/212-19-0x0000000000405A20-mapping.dmp
-
memory/560-5-0x0000000000000000-mapping.dmp
-
memory/860-6-0x0000000000000000-mapping.dmp
-
memory/1016-21-0x0000000000000000-mapping.dmp
-
memory/1424-8-0x0000000000000000-mapping.dmp
-
memory/2384-11-0x0000000000000000-mapping.dmp
-
memory/2848-12-0x0000000000405A20-mapping.dmp
-
memory/4196-7-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4196-3-0x0000000000405A20-mapping.dmp
-
memory/4352-4-0x0000000000000000-mapping.dmp
-
memory/4416-31-0x0000000000405A20-mapping.dmp
-
memory/4684-27-0x0000000000000000-mapping.dmp
-
memory/4740-16-0x0000000000000000-mapping.dmp
-
memory/4756-25-0x0000000000405A20-mapping.dmp