Analysis
-
max time kernel
244s -
max time network
246s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-03-2021 22:02
Static task
static1
Behavioral task
behavioral1
Sample
test.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
test.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
test.bin.exe
Resource
win10v20201028
General
-
Target
test.bin.exe
-
Size
281KB
-
MD5
41a1fa524a93929a68b58064bb1f86f7
-
SHA1
47f69f81ee8be286f28a3a37337ad711f71b17b3
-
SHA256
419f69ea6641f41f6f0ed44914ed3c8e9fcd0bd9b4ffcb720c60e3d682a9f78d
-
SHA512
39250ec6f09e97cd5cd593038510eb414b680f4b9d112b7f2ff9dc017566671f23100aa01404ace8ecedee3510d1ea1fd8284bacbac1872224f522ce653ffb2d
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\313775663\readme-warning.txt
makop
vassago0213@airmail.cc
vassago_0213@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3860 created 3704 3860 svchost.exe test.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 916 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
test.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindResize.tiff test.bin.exe File opened for modification C:\Users\Admin\Pictures\PushDisable.tiff test.bin.exe -
Loads dropped DLL 2 IoCs
Processes:
test.bin.exetest.bin.exepid process 644 test.bin.exe 3964 test.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
test.bin.exetest.bin.exedescription pid process target process PID 644 set thread context of 3704 644 test.bin.exe test.bin.exe PID 3964 set thread context of 2616 3964 test.bin.exe test.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
test.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml test.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-black.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\fingerscrossed.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\2_Piece_Silk_Suit_Unearned_small.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-200.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1d.png test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\readme-warning.txt test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Ice_Castle_Unearned_small.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-100.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\na_60x42.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_40x40x32.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PhoneNumber.ot test.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1 test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\ui-strings.js test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-200.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-black.png test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\readme-warning.txt test.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms test.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Resources\cursorXBOX_active.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_10h.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pl_16x11.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML test.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125_contrast-white.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-300.png test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\readme-warning.txt test.bin.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui test.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Describe.Tests.ps1 test.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@2x.png test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNG test.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\FilesystemMetadata.xml test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms test.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-150.png test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\Url.ot test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated_contrast-white.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_11s.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-200.png test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated_contrast-white.png test.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3124 vssadmin.exe -
Processes:
test.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 test.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e test.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
test.bin.exepid process 3704 test.bin.exe 3704 test.bin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
test.bin.exetest.bin.exepid process 644 test.bin.exe 3964 test.bin.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 3860 svchost.exe Token: SeTcbPrivilege 3860 svchost.exe Token: SeBackupPrivilege 8 vssvc.exe Token: SeRestorePrivilege 8 vssvc.exe Token: SeAuditPrivilege 8 vssvc.exe Token: SeBackupPrivilege 4012 wbengine.exe Token: SeRestorePrivilege 4012 wbengine.exe Token: SeSecurityPrivilege 4012 wbengine.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
test.bin.exesvchost.exetest.bin.execmd.exetest.bin.exedescription pid process target process PID 644 wrote to memory of 3704 644 test.bin.exe test.bin.exe PID 644 wrote to memory of 3704 644 test.bin.exe test.bin.exe PID 644 wrote to memory of 3704 644 test.bin.exe test.bin.exe PID 644 wrote to memory of 3704 644 test.bin.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3860 wrote to memory of 3964 3860 svchost.exe test.bin.exe PID 3704 wrote to memory of 4060 3704 test.bin.exe cmd.exe PID 3704 wrote to memory of 4060 3704 test.bin.exe cmd.exe PID 4060 wrote to memory of 3124 4060 cmd.exe vssadmin.exe PID 4060 wrote to memory of 3124 4060 cmd.exe vssadmin.exe PID 4060 wrote to memory of 916 4060 cmd.exe wbadmin.exe PID 4060 wrote to memory of 916 4060 cmd.exe wbadmin.exe PID 4060 wrote to memory of 2176 4060 cmd.exe WMIC.exe PID 4060 wrote to memory of 2176 4060 cmd.exe WMIC.exe PID 3964 wrote to memory of 2616 3964 test.bin.exe test.bin.exe PID 3964 wrote to memory of 2616 3964 test.bin.exe test.bin.exe PID 3964 wrote to memory of 2616 3964 test.bin.exe test.bin.exe PID 3964 wrote to memory of 2616 3964 test.bin.exe test.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe" n37043⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe" n37044⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\402991629MD5
739a742c0ee48cc73f612c3308533729
SHA19b92ae2321cd68e039f33df8eb56352d2d57267c
SHA256ad9debd9b5888553fef16c5212f470dcc64c8a28cfcccc9d3c83f5aa1921921c
SHA51281a050dd93d09e315f0f201b7593843c142b5ff25e9a3b53a6f2dc5bcc1ccb20c3e1d55ef64dfa6abf667ceff2df0319ac9314270e573e621fee4c35285c7312
-
C:\Users\Admin\AppData\Roaming\402991629MD5
52b8b293ea78fab9028a304685e33dfa
SHA138c96fa239ca67a5c4b31b92dbc9975655012113
SHA2564db174c4ae9be069fed1548e433b2e6d972afed90bb6978e36ba3b7e819deb6f
SHA512b7d218fdaa79c2ef00902f57206227f8e6f9fc7d4adeff21942a51fc815c226b7a480aa7f88112c3bab7583c993a1818f0d4e4b7edc677f0793f18eb572fe432
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\JRE Test.lnkMD5
d6776e73ef0d5c5053c5da78e7b78230
SHA1f09674974df214f52be3cd1e3294e1908c355b89
SHA2565f638055b1596f0732bed1c75005e22b97897ba33ddae2960f77a22a870be33a
SHA5121e94bcf5bd0d28f3ad9899d3b840d1e0fb20f15c671e464c68515daa79ed2a462ec56cd8bf0dcb129634652907e00cc8dcde13678dbdc1248d207921fe1e81a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\JRE Test.lnkMD5
83e81abbf08683a52c6895d838c37e4b
SHA1316ee7f23bd2f8f794b8dd22d324c32673fffbc2
SHA256c958b7e812c2c4d0f6f59ddd006a7b409d179b97ba7bc26aa1cf4956cb5fd5ab
SHA5123e41aef8259353b2b2c88398fc6f67e1d73952027891cc54f735d1cc55fd70e2a266a745c15a28dfd1c5abda1d44ce95a0b726ab73f9763de635f49b1f1c449d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\Uninstall.lnkMD5
534793738922866ff81ff37aa012b5ff
SHA1af1c1d113e8c5160674873f412d2d6d77a2aed32
SHA25630a1ef255461d9fabd43a8158692c4392daf0590970637ac3500d4dbbba163f5
SHA51264deb3caa33f8a5b849d9d5d9b1deea4845ae61a109526403975a9ed8006e607b8d3298799921abf75e9f343f8bb4f9c4f2fbdb33e67f3e3ccd4bcfef19aa16a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\Uninstall.lnkMD5
8c1915b550cf482cecf7dc9b61caf2a9
SHA1b21c941ff1e3254ce7f2d7708b58ca95159516e5
SHA25675a4c0cd4771667094effa56412bde107df2a57d7d27c609414677cfe93cc2d4
SHA512f52a8c04d4ebd479982f6822743e0b9cdcd6ebe22dedf4c87c5fc2da8dc259507e56dbe254e8c285ce016f6b8671674b145bdf6ac42a915bf361cc5366a45ed7
-
\Users\Admin\AppData\Local\Temp\nsm8AA3.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nsuB78F.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/916-12-0x0000000000000000-mapping.dmp
-
memory/2176-13-0x0000000000000000-mapping.dmp
-
memory/2616-14-0x0000000000405680-mapping.dmp
-
memory/3124-9-0x0000000000000000-mapping.dmp
-
memory/3704-10-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3704-3-0x0000000000405680-mapping.dmp
-
memory/3964-4-0x0000000000000000-mapping.dmp
-
memory/4060-5-0x0000000000000000-mapping.dmp