Analysis
-
max time kernel
38s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-02-2021 00:26
Static task
static1
Behavioral task
behavioral1
Sample
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe
Resource
win10v20201028
General
-
Target
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe
-
Size
40KB
-
MD5
5c02cb26de796b4eb98d860530e9b7b5
-
SHA1
30d0c096df1d09eb24b8cfc3663fa1ed7f351f49
-
SHA256
20c4b391c9460dd00fb0907cb6cd67c60b7f87a2761851c360e0a60d984e111a
-
SHA512
c60cbcc4b52674c49d5fbd3fb685427b0ece394c1f4b7bfd9f4c8b913153786c067b39a088205a05b826f49bfc40f56e8eedd83e72d447e94e9ebce84a5fa5b8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
vassago_0203@tutanota.com
vassago0203@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 572 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PushRedo.tiff μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Users\Admin\Pictures\UnlockUnprotect.tiff μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeFax.Dotx μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.[D07111EA].[vassago_0203@tutanota.com].vassago μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152606.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_OFF.GIF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\readme-warning.txt μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif.[D07111EA].[vassago_0203@tutanota.com].vassago μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9B.GIF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bogota μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\readme-warning.txt μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART1.BDR μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\readme-warning.txt μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\NOTICE μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285360.WMF μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1752 vssadmin.exe -
Processes:
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exepid process 1724 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1308 vssvc.exe Token: SeRestorePrivilege 1308 vssvc.exe Token: SeAuditPrivilege 1308 vssvc.exe Token: SeBackupPrivilege 812 wbengine.exe Token: SeRestorePrivilege 812 wbengine.exe Token: SeSecurityPrivilege 812 wbengine.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).execmd.exedescription pid process target process PID 1724 wrote to memory of 1996 1724 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe cmd.exe PID 1724 wrote to memory of 1996 1724 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe cmd.exe PID 1724 wrote to memory of 1996 1724 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe cmd.exe PID 1724 wrote to memory of 1996 1724 μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe cmd.exe PID 1996 wrote to memory of 1752 1996 cmd.exe vssadmin.exe PID 1996 wrote to memory of 1752 1996 cmd.exe vssadmin.exe PID 1996 wrote to memory of 1752 1996 cmd.exe vssadmin.exe PID 1996 wrote to memory of 572 1996 cmd.exe wbadmin.exe PID 1996 wrote to memory of 572 1996 cmd.exe wbadmin.exe PID 1996 wrote to memory of 572 1996 cmd.exe wbadmin.exe PID 1996 wrote to memory of 1404 1996 cmd.exe WMIC.exe PID 1996 wrote to memory of 1404 1996 cmd.exe WMIC.exe PID 1996 wrote to memory of 1404 1996 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ(κ²½λ ₯μ¬νμ΄λ κ°μ΄ κΈ°μ¬νμμ΅λλ€ μ λΆνλλ¦¬κ² μ΅λλ€).exe" n17242⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-6-0x0000000000000000-mapping.dmp
-
memory/572-7-0x000007FEFC601000-0x000007FEFC603000-memory.dmpFilesize
8KB
-
memory/1404-8-0x0000000000000000-mapping.dmp
-
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1752-5-0x0000000000000000-mapping.dmp
-
memory/1964-9-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmpFilesize
2.5MB
-
memory/1996-3-0x0000000000000000-mapping.dmp