Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:19
Static task
static1
Behavioral task
behavioral1
Sample
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Resource
win10v20201028
General
-
Target
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
-
Size
271KB
-
MD5
f8ca42285e4979fc25e1e358aaaf3ee3
-
SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8
-
SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
threesixnine@ctemplar.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
csrss.execsrss.exepid process 3148 csrss.exe 3616 csrss.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2816 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
csrss.exedescription ioc process File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\F: csrss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\R: csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
csrss.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\VERSION.txt csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\cacerts.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark@4x.png csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark@3x.png.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png csrss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt csrss.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\resources.jar.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx csrss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.4C1-427-56F csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.4C1-427-56F csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3844 vssadmin.exe 2896 vssadmin.exe -
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exevssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Token: SeDebugPrivilege 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Token: SeBackupPrivilege 684 vssvc.exe Token: SeRestorePrivilege 684 vssvc.exe Token: SeAuditPrivilege 684 vssvc.exe Token: SeIncreaseQuotaPrivilege 2648 WMIC.exe Token: SeSecurityPrivilege 2648 WMIC.exe Token: SeTakeOwnershipPrivilege 2648 WMIC.exe Token: SeLoadDriverPrivilege 2648 WMIC.exe Token: SeSystemProfilePrivilege 2648 WMIC.exe Token: SeSystemtimePrivilege 2648 WMIC.exe Token: SeProfSingleProcessPrivilege 2648 WMIC.exe Token: SeIncBasePriorityPrivilege 2648 WMIC.exe Token: SeCreatePagefilePrivilege 2648 WMIC.exe Token: SeBackupPrivilege 2648 WMIC.exe Token: SeRestorePrivilege 2648 WMIC.exe Token: SeShutdownPrivilege 2648 WMIC.exe Token: SeDebugPrivilege 2648 WMIC.exe Token: SeSystemEnvironmentPrivilege 2648 WMIC.exe Token: SeRemoteShutdownPrivilege 2648 WMIC.exe Token: SeUndockPrivilege 2648 WMIC.exe Token: SeManageVolumePrivilege 2648 WMIC.exe Token: 33 2648 WMIC.exe Token: 34 2648 WMIC.exe Token: 35 2648 WMIC.exe Token: 36 2648 WMIC.exe Token: SeIncreaseQuotaPrivilege 188 WMIC.exe Token: SeSecurityPrivilege 188 WMIC.exe Token: SeTakeOwnershipPrivilege 188 WMIC.exe Token: SeLoadDriverPrivilege 188 WMIC.exe Token: SeSystemProfilePrivilege 188 WMIC.exe Token: SeSystemtimePrivilege 188 WMIC.exe Token: SeProfSingleProcessPrivilege 188 WMIC.exe Token: SeIncBasePriorityPrivilege 188 WMIC.exe Token: SeCreatePagefilePrivilege 188 WMIC.exe Token: SeBackupPrivilege 188 WMIC.exe Token: SeRestorePrivilege 188 WMIC.exe Token: SeShutdownPrivilege 188 WMIC.exe Token: SeDebugPrivilege 188 WMIC.exe Token: SeSystemEnvironmentPrivilege 188 WMIC.exe Token: SeRemoteShutdownPrivilege 188 WMIC.exe Token: SeUndockPrivilege 188 WMIC.exe Token: SeManageVolumePrivilege 188 WMIC.exe Token: 33 188 WMIC.exe Token: 34 188 WMIC.exe Token: 35 188 WMIC.exe Token: 36 188 WMIC.exe Token: SeIncreaseQuotaPrivilege 2648 WMIC.exe Token: SeSecurityPrivilege 2648 WMIC.exe Token: SeTakeOwnershipPrivilege 2648 WMIC.exe Token: SeLoadDriverPrivilege 2648 WMIC.exe Token: SeSystemProfilePrivilege 2648 WMIC.exe Token: SeSystemtimePrivilege 2648 WMIC.exe Token: SeProfSingleProcessPrivilege 2648 WMIC.exe Token: SeIncBasePriorityPrivilege 2648 WMIC.exe Token: SeCreatePagefilePrivilege 2648 WMIC.exe Token: SeBackupPrivilege 2648 WMIC.exe Token: SeRestorePrivilege 2648 WMIC.exe Token: SeShutdownPrivilege 2648 WMIC.exe Token: SeDebugPrivilege 2648 WMIC.exe Token: SeSystemEnvironmentPrivilege 2648 WMIC.exe Token: SeRemoteShutdownPrivilege 2648 WMIC.exe Token: SeUndockPrivilege 2648 WMIC.exe Token: SeManageVolumePrivilege 2648 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.execsrss.execmd.execmd.execmd.exedescription pid process target process PID 636 wrote to memory of 3148 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe csrss.exe PID 636 wrote to memory of 3148 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe csrss.exe PID 636 wrote to memory of 3148 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe csrss.exe PID 636 wrote to memory of 2816 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 636 wrote to memory of 2816 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 636 wrote to memory of 2816 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 636 wrote to memory of 2816 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 636 wrote to memory of 2816 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 636 wrote to memory of 2816 636 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 3148 wrote to memory of 2840 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 2840 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 2840 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3836 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3836 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3836 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3920 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3920 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3920 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3824 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3824 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3824 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3612 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3612 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3612 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 2680 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 2680 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 2680 3148 csrss.exe cmd.exe PID 3148 wrote to memory of 3616 3148 csrss.exe csrss.exe PID 3148 wrote to memory of 3616 3148 csrss.exe csrss.exe PID 3148 wrote to memory of 3616 3148 csrss.exe csrss.exe PID 3612 wrote to memory of 2896 3612 cmd.exe vssadmin.exe PID 3612 wrote to memory of 2896 3612 cmd.exe vssadmin.exe PID 3612 wrote to memory of 2896 3612 cmd.exe vssadmin.exe PID 2680 wrote to memory of 188 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 188 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 188 2680 cmd.exe WMIC.exe PID 2840 wrote to memory of 2648 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2648 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2648 2840 cmd.exe WMIC.exe PID 2680 wrote to memory of 3844 2680 cmd.exe vssadmin.exe PID 2680 wrote to memory of 3844 2680 cmd.exe vssadmin.exe PID 2680 wrote to memory of 3844 2680 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
d8b0ff3ef0cac177c2f16157834442b1
SHA183504ee29a466c5b6412b7e72c131cd8f975d536
SHA256667366e5abac32446a226d1cfaef36ebd721bf00334e26b984b477f5c146789c
SHA5125dafefa8e8677369dca0241512b8b6667f14595770b2f2f1ea7b7ee1717b70f42079c85b1edcea4a45f6fd4896b7a0040264d9b1f63188aba2dd0e5bc25a7eea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c105de5d82dc4fa359f03f82cb0bf797
SHA178ec4e7c84b5b941c6ef4814d7eab379d2a7a12b
SHA256ada540f3499dc0ec44782e7b52f064fc3ae96159a98d34f130deed0fa1dc8ccc
SHA512c9251ad48cda6ea6b455f99e162040cecdc934eb73f0bda14ad8c32b0458119f0f90f509da942207d87618933dbe3555cfc414d116f7be9d8eb54b259d583e07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c8f5dcc04731e23047a7e0609731c468
SHA15f4b7ec761c1d2f3a24417c06e20619216a9678e
SHA256de35f9bd437d0839a51b5c3cb5c4e2d6c6f586e703b99bfe63e60bea054b0a97
SHA5122ca4ab3cd0937f82d6e2eecbd9a21c4fc1a73ec1f19dcc8b635ad96b0cbf25383b3e2a552b9f20b59ef671af6c20f21bfcca99b48733f6bd3a9ebf140ac22caa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
a7b751c312facb7f86eab87f00447b04
SHA109353192280aa9ed20271dc0be32011ff0544f27
SHA256d4a2304df3a137ad269b27e5674d22362b5263890772995e6ab75300f98fceaf
SHA5124b4f6ebf3c5b263ae107790e7f71f9b74f06094e1a0f04ab544de7f2d4fc6ea72cff00c4796f3794bf31badd57c67697bfd9736e68cf64be96fbbaf8d038cc4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
e2469a1dc29c98043a203c637ebd9844
SHA1e2a3e9ecec4364c8259a0ec376ab65c9feb54e01
SHA256bf422364f3d58ca462cab43e2dc96dd852f7be1d2536c16443b7bc1c40ebfa5c
SHA512dca6979f3726161b48764429d276e50a3c196c7057d2f9642fa4b0f8760f533cae386da217541bccf91af5f72a6d4236ee0485888b17aa9c6629154961313101
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
fdf96a8e00bbc16e8a2b649de06b8c60
SHA1b7968713582a869939e49fe1d774528a24d930d6
SHA25628cc95f56ab8a561b0facf3a7bcac8d535d396561e1c03a7d3c7adccfe56084e
SHA512b152c7148eb8ef97049a35f33d2c4df7086409b8853ffd82054355dba3d5dc193badddd320dc26b743285004218cd0329613d7220ddd2271902f767e53d50894
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\XHW8A468.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\TAW9RV0I.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
memory/188-32-0x0000000000000000-mapping.dmp
-
memory/636-2-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/636-4-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/636-3-0x00000000001C0000-0x00000000001F7000-memory.dmpFilesize
220KB
-
memory/2648-33-0x0000000000000000-mapping.dmp
-
memory/2680-27-0x0000000000000000-mapping.dmp
-
memory/2816-9-0x0000000000000000-mapping.dmp
-
memory/2816-8-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/2840-22-0x0000000000000000-mapping.dmp
-
memory/2896-30-0x0000000000000000-mapping.dmp
-
memory/3148-10-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/3148-5-0x0000000000000000-mapping.dmp
-
memory/3612-26-0x0000000000000000-mapping.dmp
-
memory/3616-28-0x0000000000000000-mapping.dmp
-
memory/3616-34-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/3824-25-0x0000000000000000-mapping.dmp
-
memory/3836-23-0x0000000000000000-mapping.dmp
-
memory/3844-35-0x0000000000000000-mapping.dmp
-
memory/3920-24-0x0000000000000000-mapping.dmp