buran | 0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
19-02-2021 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70ca11d0dfb726a0c141e05253a1b42d.exe
Size

581KB
MD5

70ca11d0dfb726a0c141e05253a1b42d
SHA1

3b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA256

0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512

dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Score

10^/10

buran persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@tutanota.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@tutanota.com Reserved email: kassmaster@danwin1210.me Your personal ID: F88-77F-E2B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kassmaster@tutanota.com

kassmaster@danwin1210.me

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid process

3700 smss.exe
1892 smss.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2912 notepad.exe

pid	process
2912	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	70ca11d0dfb726a0c141e05253a1b42d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	70ca11d0dfb726a0c141e05253a1b42d.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\B:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 geoiptool.com

flow	ioc
9	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\pyramid_menu_icon.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeDownload\download_bar_base.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gw_60x42.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-GB.PostalAddress.ot	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\XboxControl\DefaultAvatar.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\sttionry.jpg	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_20x20x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White@3x.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\LargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_20x20x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask.contrast-standard.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png	smss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\King_Of_The_Hill_Unearned_small.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_40x40x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_48x48x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.F88-77F-E2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\OneConnectAppList.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\evilgrin.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4004 vssadmin.exe
3640 vssadmin.exe

pid	process
4004	vssadmin.exe
3640	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	70ca11d0dfb726a0c141e05253a1b42d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	70ca11d0dfb726a0c141e05253a1b42d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exe

pid	process
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe
3700	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1400	70ca11d0dfb726a0c141e05253a1b42d.exe
Token: SeDebugPrivilege	1400	70ca11d0dfb726a0c141e05253a1b42d.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: 36	3016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exesmss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 3700	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	smss.exe
PID 1400 wrote to memory of 3700	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	smss.exe
PID 1400 wrote to memory of 3700	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	smss.exe
PID 1400 wrote to memory of 2912	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 1400 wrote to memory of 2912	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 1400 wrote to memory of 2912	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 1400 wrote to memory of 2912	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 1400 wrote to memory of 2912	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 1400 wrote to memory of 2912	1400	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 3700 wrote to memory of 1120	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 1120	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 1120	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 4000	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 4000	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 4000	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 4040	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 4040	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 4040	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 2084	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 2084	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 2084	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 3804	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 3804	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 3804	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 3472	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 3472	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 3472	3700	smss.exe	cmd.exe
PID 3700 wrote to memory of 1892	3700	smss.exe	smss.exe
PID 3700 wrote to memory of 1892	3700	smss.exe	smss.exe
PID 3700 wrote to memory of 1892	3700	smss.exe	smss.exe
PID 3804 wrote to memory of 4004	3804	cmd.exe	vssadmin.exe
PID 3804 wrote to memory of 4004	3804	cmd.exe	vssadmin.exe
PID 3804 wrote to memory of 4004	3804	cmd.exe	vssadmin.exe
PID 1120 wrote to memory of 3960	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 3960	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 3960	1120	cmd.exe	WMIC.exe
PID 3472 wrote to memory of 3016	3472	cmd.exe	WMIC.exe
PID 3472 wrote to memory of 3016	3472	cmd.exe	WMIC.exe
PID 3472 wrote to memory of 3016	3472	cmd.exe	WMIC.exe
PID 3472 wrote to memory of 3640	3472	cmd.exe	vssadmin.exe
PID 3472 wrote to memory of 3640	3472	cmd.exe	vssadmin.exe
PID 3472 wrote to memory of 3640	3472	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe
"C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2084

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:2912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
de45a65ca84a9d847a105fcf5db17d4d

SHA1
7e9bf35371fa3ceb195e2b2ab9a55be036464e1f

SHA256
35f6afd87526003ea4433d30b8561609d3af244d4602acc30e8b491a30b51694

SHA512
f60e252ffabb64a1b5413e02cd46c10df3cfacadd4051ac50674f79c834cd5607bf49660d57665b18fd86e6b493411afe17668b2cbd131bfeeae954dd2da52d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
25702f32850469ed11d3cd68086b8e48

SHA1
170ace58972fae2bbc1f254631c95c1ccf7388ff

SHA256
42bf99c6490ec13de964fd7e4eaafc5df9f95a87b92f65e2cac8e18a79954411

SHA512
2d121b1442dd4b449c5bafb9bd295a0f15f02aba9030e4571e258420779431cd6dbec11c867284f8ae84f69a1c7b032110e9fab89ab75456f77b6d7aed74706b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1217ab0d20378cd200fbe07bedb5ee7b

SHA1
b10c62032206809cc18abab57a26bd1916005ce0

SHA256
d772cb57e040249255d60d6265daabaf009303399dde95f7e37093a4d0e7b613

SHA512
732d0f36070083b88f340ee9831672cdaaad55a2052b2833096264c81441da5b1c5e8b327ab2549d19fd50517aad95b0a98a6af5f2aeb218e1a97970bb2188bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
3db6ecad94f78ad84cdb3cbfaae9e94e

SHA1
1917d09d2ec4786134a8043e014da59973145565

SHA256
12964fd0ca8cb6830fdfbfc5aa99c0ff6dcd251887850e56eeb70aa73dbf2db7

SHA512
00937e4a18d2f1e50859acd86000a2c7353d9886358a2dc37b0b9d361bc7f782b50278a0ec75900da387294bea7a6bd9acb39ce8df4b1e2e1fcc09f1057e6b0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
8b23efbd4e1b291ccb2e7099b5a8d6f4

SHA1
060e4c86f03ff22c7b5125a71d1bef64c5abe6df

SHA256
0ccbfcf507251505845bd670a8c4eb90671ee076fd0931923ce5cf3bff20e2fe

SHA512
4a8f8a5291be668f63a0e68d8fb66eaf01160278f3746ef04ac6521eb3d17dd6cca1b64aafe9652181a8a2e16f1c6c4853ceb0b99b81fc559226d8069fed45e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f17a4733f39987fc6372f71b82b81c40

SHA1
06a1a9dd1c36a32569a44746a118262dfe746ee5

SHA256
914839458f10a35de614c1709586b1e5a7e2eb97418bcd32ecb50729d04fef44

SHA512
ceed1a0fb5ec1ad8b66c0198edf6010a66aaca30b6ee0364224a23ceb17453751e0be10eab552f46db8882c270c48e1d434aec7cd77a49dccd61e0a3c238b15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\LX1MQO3T.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\15H3386D.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
memory/1120-16-0x0000000000000000-mapping.dmp

Download
memory/1892-22-0x0000000000000000-mapping.dmp

Download
memory/2084-19-0x0000000000000000-mapping.dmp

Download
memory/2912-5-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2912-6-0x0000000000000000-mapping.dmp

Download
memory/3016-27-0x0000000000000000-mapping.dmp

Download
memory/3472-21-0x0000000000000000-mapping.dmp

Download
memory/3640-28-0x0000000000000000-mapping.dmp

Download
memory/3700-2-0x0000000000000000-mapping.dmp

Download
memory/3804-20-0x0000000000000000-mapping.dmp

Download
memory/3960-26-0x0000000000000000-mapping.dmp

Download
memory/4000-17-0x0000000000000000-mapping.dmp

Download
memory/4004-25-0x0000000000000000-mapping.dmp

Download
memory/4040-18-0x0000000000000000-mapping.dmp

Download