Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-02-2021 04:00
Static task
static1
Behavioral task
behavioral1
Sample
70ca11d0dfb726a0c141e05253a1b42d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
70ca11d0dfb726a0c141e05253a1b42d.exe
Resource
win10v20201028
General
-
Target
70ca11d0dfb726a0c141e05253a1b42d.exe
-
Size
581KB
-
MD5
70ca11d0dfb726a0c141e05253a1b42d
-
SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b
-
SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
-
SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@tutanota.com
kassmaster@danwin1210.me
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
smss.exesmss.exepid process 3700 smss.exe 1892 smss.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe upx -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2912 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run 70ca11d0dfb726a0c141e05253a1b42d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" 70ca11d0dfb726a0c141e05253a1b42d.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smss.exedescription ioc process File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\F: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\B: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\pyramid_menu_icon.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeDownload\download_bar_base.png smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf smss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gw_60x42.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-200.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-GB.PostalAddress.ot smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-200.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.F88-77F-E2B smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\XboxControl\DefaultAvatar.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png smss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\sttionry.jpg smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_20x20x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White@3x.png smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\LargeTile.scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_20x20x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask.contrast-standard.png smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png smss.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.F88-77F-E2B smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\King_Of_The_Hill_Unearned_small.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_40x40x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_48x48x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt.F88-77F-E2B smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\OneConnectAppList.scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\evilgrin.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256_altform-unplated.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4004 vssadmin.exe 3640 vssadmin.exe -
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 70ca11d0dfb726a0c141e05253a1b42d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 70ca11d0dfb726a0c141e05253a1b42d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
smss.exepid process 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe 3700 smss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1400 70ca11d0dfb726a0c141e05253a1b42d.exe Token: SeDebugPrivilege 1400 70ca11d0dfb726a0c141e05253a1b42d.exe Token: SeIncreaseQuotaPrivilege 3016 WMIC.exe Token: SeSecurityPrivilege 3016 WMIC.exe Token: SeTakeOwnershipPrivilege 3016 WMIC.exe Token: SeLoadDriverPrivilege 3016 WMIC.exe Token: SeSystemProfilePrivilege 3016 WMIC.exe Token: SeSystemtimePrivilege 3016 WMIC.exe Token: SeProfSingleProcessPrivilege 3016 WMIC.exe Token: SeIncBasePriorityPrivilege 3016 WMIC.exe Token: SeCreatePagefilePrivilege 3016 WMIC.exe Token: SeBackupPrivilege 3016 WMIC.exe Token: SeRestorePrivilege 3016 WMIC.exe Token: SeShutdownPrivilege 3016 WMIC.exe Token: SeDebugPrivilege 3016 WMIC.exe Token: SeSystemEnvironmentPrivilege 3016 WMIC.exe Token: SeRemoteShutdownPrivilege 3016 WMIC.exe Token: SeUndockPrivilege 3016 WMIC.exe Token: SeManageVolumePrivilege 3016 WMIC.exe Token: 33 3016 WMIC.exe Token: 34 3016 WMIC.exe Token: 35 3016 WMIC.exe Token: 36 3016 WMIC.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe Token: 33 3960 WMIC.exe Token: 34 3960 WMIC.exe Token: 35 3960 WMIC.exe Token: 36 3960 WMIC.exe Token: SeBackupPrivilege 2244 vssvc.exe Token: SeRestorePrivilege 2244 vssvc.exe Token: SeAuditPrivilege 2244 vssvc.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exesmss.execmd.execmd.execmd.exedescription pid process target process PID 1400 wrote to memory of 3700 1400 70ca11d0dfb726a0c141e05253a1b42d.exe smss.exe PID 1400 wrote to memory of 3700 1400 70ca11d0dfb726a0c141e05253a1b42d.exe smss.exe PID 1400 wrote to memory of 3700 1400 70ca11d0dfb726a0c141e05253a1b42d.exe smss.exe PID 1400 wrote to memory of 2912 1400 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 1400 wrote to memory of 2912 1400 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 1400 wrote to memory of 2912 1400 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 1400 wrote to memory of 2912 1400 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 1400 wrote to memory of 2912 1400 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 1400 wrote to memory of 2912 1400 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 3700 wrote to memory of 1120 3700 smss.exe cmd.exe PID 3700 wrote to memory of 1120 3700 smss.exe cmd.exe PID 3700 wrote to memory of 1120 3700 smss.exe cmd.exe PID 3700 wrote to memory of 4000 3700 smss.exe cmd.exe PID 3700 wrote to memory of 4000 3700 smss.exe cmd.exe PID 3700 wrote to memory of 4000 3700 smss.exe cmd.exe PID 3700 wrote to memory of 4040 3700 smss.exe cmd.exe PID 3700 wrote to memory of 4040 3700 smss.exe cmd.exe PID 3700 wrote to memory of 4040 3700 smss.exe cmd.exe PID 3700 wrote to memory of 2084 3700 smss.exe cmd.exe PID 3700 wrote to memory of 2084 3700 smss.exe cmd.exe PID 3700 wrote to memory of 2084 3700 smss.exe cmd.exe PID 3700 wrote to memory of 3804 3700 smss.exe cmd.exe PID 3700 wrote to memory of 3804 3700 smss.exe cmd.exe PID 3700 wrote to memory of 3804 3700 smss.exe cmd.exe PID 3700 wrote to memory of 3472 3700 smss.exe cmd.exe PID 3700 wrote to memory of 3472 3700 smss.exe cmd.exe PID 3700 wrote to memory of 3472 3700 smss.exe cmd.exe PID 3700 wrote to memory of 1892 3700 smss.exe smss.exe PID 3700 wrote to memory of 1892 3700 smss.exe smss.exe PID 3700 wrote to memory of 1892 3700 smss.exe smss.exe PID 3804 wrote to memory of 4004 3804 cmd.exe vssadmin.exe PID 3804 wrote to memory of 4004 3804 cmd.exe vssadmin.exe PID 3804 wrote to memory of 4004 3804 cmd.exe vssadmin.exe PID 1120 wrote to memory of 3960 1120 cmd.exe WMIC.exe PID 1120 wrote to memory of 3960 1120 cmd.exe WMIC.exe PID 1120 wrote to memory of 3960 1120 cmd.exe WMIC.exe PID 3472 wrote to memory of 3016 3472 cmd.exe WMIC.exe PID 3472 wrote to memory of 3016 3472 cmd.exe WMIC.exe PID 3472 wrote to memory of 3016 3472 cmd.exe WMIC.exe PID 3472 wrote to memory of 3640 3472 cmd.exe vssadmin.exe PID 3472 wrote to memory of 3640 3472 cmd.exe vssadmin.exe PID 3472 wrote to memory of 3640 3472 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe"C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
de45a65ca84a9d847a105fcf5db17d4d
SHA17e9bf35371fa3ceb195e2b2ab9a55be036464e1f
SHA25635f6afd87526003ea4433d30b8561609d3af244d4602acc30e8b491a30b51694
SHA512f60e252ffabb64a1b5413e02cd46c10df3cfacadd4051ac50674f79c834cd5607bf49660d57665b18fd86e6b493411afe17668b2cbd131bfeeae954dd2da52d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
25702f32850469ed11d3cd68086b8e48
SHA1170ace58972fae2bbc1f254631c95c1ccf7388ff
SHA25642bf99c6490ec13de964fd7e4eaafc5df9f95a87b92f65e2cac8e18a79954411
SHA5122d121b1442dd4b449c5bafb9bd295a0f15f02aba9030e4571e258420779431cd6dbec11c867284f8ae84f69a1c7b032110e9fab89ab75456f77b6d7aed74706b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
1217ab0d20378cd200fbe07bedb5ee7b
SHA1b10c62032206809cc18abab57a26bd1916005ce0
SHA256d772cb57e040249255d60d6265daabaf009303399dde95f7e37093a4d0e7b613
SHA512732d0f36070083b88f340ee9831672cdaaad55a2052b2833096264c81441da5b1c5e8b327ab2549d19fd50517aad95b0a98a6af5f2aeb218e1a97970bb2188bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
3db6ecad94f78ad84cdb3cbfaae9e94e
SHA11917d09d2ec4786134a8043e014da59973145565
SHA25612964fd0ca8cb6830fdfbfc5aa99c0ff6dcd251887850e56eeb70aa73dbf2db7
SHA51200937e4a18d2f1e50859acd86000a2c7353d9886358a2dc37b0b9d361bc7f782b50278a0ec75900da387294bea7a6bd9acb39ce8df4b1e2e1fcc09f1057e6b0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
8b23efbd4e1b291ccb2e7099b5a8d6f4
SHA1060e4c86f03ff22c7b5125a71d1bef64c5abe6df
SHA2560ccbfcf507251505845bd670a8c4eb90671ee076fd0931923ce5cf3bff20e2fe
SHA5124a8f8a5291be668f63a0e68d8fb66eaf01160278f3746ef04ac6521eb3d17dd6cca1b64aafe9652181a8a2e16f1c6c4853ceb0b99b81fc559226d8069fed45e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f17a4733f39987fc6372f71b82b81c40
SHA106a1a9dd1c36a32569a44746a118262dfe746ee5
SHA256914839458f10a35de614c1709586b1e5a7e2eb97418bcd32ecb50729d04fef44
SHA512ceed1a0fb5ec1ad8b66c0198edf6010a66aaca30b6ee0364224a23ceb17453751e0be10eab552f46db8882c270c48e1d434aec7cd77a49dccd61e0a3c238b15d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\LX1MQO3T.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\15H3386D.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
memory/1120-16-0x0000000000000000-mapping.dmp
-
memory/1892-22-0x0000000000000000-mapping.dmp
-
memory/2084-19-0x0000000000000000-mapping.dmp
-
memory/2912-5-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/2912-6-0x0000000000000000-mapping.dmp
-
memory/3016-27-0x0000000000000000-mapping.dmp
-
memory/3472-21-0x0000000000000000-mapping.dmp
-
memory/3640-28-0x0000000000000000-mapping.dmp
-
memory/3700-2-0x0000000000000000-mapping.dmp
-
memory/3804-20-0x0000000000000000-mapping.dmp
-
memory/3960-26-0x0000000000000000-mapping.dmp
-
memory/4000-17-0x0000000000000000-mapping.dmp
-
memory/4004-25-0x0000000000000000-mapping.dmp
-
memory/4040-18-0x0000000000000000-mapping.dmp