Analysis
-
max time kernel
313s -
max time network
377s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-03-2021 22:02
Static task
static1
Behavioral task
behavioral1
Sample
test.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
test.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
test.bin.exe
Resource
win10v20201028
General
-
Target
test.bin.exe
-
Size
281KB
-
MD5
41a1fa524a93929a68b58064bb1f86f7
-
SHA1
47f69f81ee8be286f28a3a37337ad711f71b17b3
-
SHA256
419f69ea6641f41f6f0ed44914ed3c8e9fcd0bd9b4ffcb720c60e3d682a9f78d
-
SHA512
39250ec6f09e97cd5cd593038510eb414b680f4b9d112b7f2ff9dc017566671f23100aa01404ace8ecedee3510d1ea1fd8284bacbac1872224f522ce653ffb2d
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\623761351\readme-warning.txt
makop
vassago0213@airmail.cc
vassago_0213@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4036 created 4348 4036 svchost.exe test.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 904 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
test.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DismountResize.tiff test.bin.exe File opened for modification C:\Users\Admin\Pictures\UnlockLock.tiff test.bin.exe -
Loads dropped DLL 2 IoCs
Processes:
test.bin.exetest.bin.exepid process 4704 test.bin.exe 4076 test.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
test.bin.exetest.bin.exedescription pid process target process PID 4704 set thread context of 4348 4704 test.bin.exe test.bin.exe PID 4076 set thread context of 2240 4076 test.bin.exe test.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
test.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-100.png test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-fullcolor.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-300.png test.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar test.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-125_contrast-black.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-16_altform-unplated.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-400.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_delete@1x.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.ico test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-100.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.surprise.small.scale-200.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_DogNose.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-100.png test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Become_a_Star_Unearned_small.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer16.xml test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms test.bin.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png test.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\readme-warning.txt test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\ui-strings.js test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-200.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-200.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui test.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\LargeTile.scale-125.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.scale-150.png test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder.png test.bin.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\readme-warning.txt test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\MedTile.scale-100.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js test.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-32.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png test.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell.png test.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCut.scale-180.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5630_32x32x32.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_48x48x32.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\music.png test.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png test.bin.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui test.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4396 vssadmin.exe -
Processes:
test.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 test.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e test.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
test.bin.exepid process 4348 test.bin.exe 4348 test.bin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
test.bin.exetest.bin.exepid process 4704 test.bin.exe 4076 test.bin.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 4036 svchost.exe Token: SeTcbPrivilege 4036 svchost.exe Token: SeBackupPrivilege 4460 vssvc.exe Token: SeRestorePrivilege 4460 vssvc.exe Token: SeAuditPrivilege 4460 vssvc.exe Token: SeBackupPrivilege 988 wbengine.exe Token: SeRestorePrivilege 988 wbengine.exe Token: SeSecurityPrivilege 988 wbengine.exe Token: SeIncreaseQuotaPrivilege 1720 WMIC.exe Token: SeSecurityPrivilege 1720 WMIC.exe Token: SeTakeOwnershipPrivilege 1720 WMIC.exe Token: SeLoadDriverPrivilege 1720 WMIC.exe Token: SeSystemProfilePrivilege 1720 WMIC.exe Token: SeSystemtimePrivilege 1720 WMIC.exe Token: SeProfSingleProcessPrivilege 1720 WMIC.exe Token: SeIncBasePriorityPrivilege 1720 WMIC.exe Token: SeCreatePagefilePrivilege 1720 WMIC.exe Token: SeBackupPrivilege 1720 WMIC.exe Token: SeRestorePrivilege 1720 WMIC.exe Token: SeShutdownPrivilege 1720 WMIC.exe Token: SeDebugPrivilege 1720 WMIC.exe Token: SeSystemEnvironmentPrivilege 1720 WMIC.exe Token: SeRemoteShutdownPrivilege 1720 WMIC.exe Token: SeUndockPrivilege 1720 WMIC.exe Token: SeManageVolumePrivilege 1720 WMIC.exe Token: 33 1720 WMIC.exe Token: 34 1720 WMIC.exe Token: 35 1720 WMIC.exe Token: 36 1720 WMIC.exe Token: SeIncreaseQuotaPrivilege 1720 WMIC.exe Token: SeSecurityPrivilege 1720 WMIC.exe Token: SeTakeOwnershipPrivilege 1720 WMIC.exe Token: SeLoadDriverPrivilege 1720 WMIC.exe Token: SeSystemProfilePrivilege 1720 WMIC.exe Token: SeSystemtimePrivilege 1720 WMIC.exe Token: SeProfSingleProcessPrivilege 1720 WMIC.exe Token: SeIncBasePriorityPrivilege 1720 WMIC.exe Token: SeCreatePagefilePrivilege 1720 WMIC.exe Token: SeBackupPrivilege 1720 WMIC.exe Token: SeRestorePrivilege 1720 WMIC.exe Token: SeShutdownPrivilege 1720 WMIC.exe Token: SeDebugPrivilege 1720 WMIC.exe Token: SeSystemEnvironmentPrivilege 1720 WMIC.exe Token: SeRemoteShutdownPrivilege 1720 WMIC.exe Token: SeUndockPrivilege 1720 WMIC.exe Token: SeManageVolumePrivilege 1720 WMIC.exe Token: 33 1720 WMIC.exe Token: 34 1720 WMIC.exe Token: 35 1720 WMIC.exe Token: 36 1720 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
test.bin.exesvchost.exetest.bin.execmd.exetest.bin.exedescription pid process target process PID 4704 wrote to memory of 4348 4704 test.bin.exe test.bin.exe PID 4704 wrote to memory of 4348 4704 test.bin.exe test.bin.exe PID 4704 wrote to memory of 4348 4704 test.bin.exe test.bin.exe PID 4704 wrote to memory of 4348 4704 test.bin.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4036 wrote to memory of 4076 4036 svchost.exe test.bin.exe PID 4348 wrote to memory of 4344 4348 test.bin.exe cmd.exe PID 4348 wrote to memory of 4344 4348 test.bin.exe cmd.exe PID 4344 wrote to memory of 4396 4344 cmd.exe vssadmin.exe PID 4344 wrote to memory of 4396 4344 cmd.exe vssadmin.exe PID 4344 wrote to memory of 904 4344 cmd.exe wbadmin.exe PID 4344 wrote to memory of 904 4344 cmd.exe wbadmin.exe PID 4344 wrote to memory of 1720 4344 cmd.exe WMIC.exe PID 4344 wrote to memory of 1720 4344 cmd.exe WMIC.exe PID 4076 wrote to memory of 2240 4076 test.bin.exe test.bin.exe PID 4076 wrote to memory of 2240 4076 test.bin.exe test.bin.exe PID 4076 wrote to memory of 2240 4076 test.bin.exe test.bin.exe PID 4076 wrote to memory of 2240 4076 test.bin.exe test.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe" n43483⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe" n43484⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\402991629MD5
6c14653c6fc51d18a3eaa9dbe2dc3571
SHA1fd94412c5464d3f70249a63557892878a8fab1d8
SHA256f965aebe334d339219ba0a86ed6a0eb672d01f799372889571b4a97d2ee999de
SHA512d6a6d2eb9470c012714719a94a41eb466aa83907b38b7b2d85e363f5680d082cba130b81776d6843278aa93092915251928b50088d68cd27ccaffcb375781f95
-
C:\Users\Admin\AppData\Roaming\402991629MD5
52b8b293ea78fab9028a304685e33dfa
SHA138c96fa239ca67a5c4b31b92dbc9975655012113
SHA2564db174c4ae9be069fed1548e433b2e6d972afed90bb6978e36ba3b7e819deb6f
SHA512b7d218fdaa79c2ef00902f57206227f8e6f9fc7d4adeff21942a51fc815c226b7a480aa7f88112c3bab7583c993a1818f0d4e4b7edc677f0793f18eb572fe432
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\JRE Test.lnkMD5
fb76767237045c335edfcea364cbf0a4
SHA18a3da944b07b88230e7091f76621ba10e46f80a4
SHA256d90b5ec0a64dde7104b49e596b16e480c1654b97d3880148d640b060ed7f2738
SHA512fbd3384b70248befd37fc9c93510a366c88ecc288c4be5da26d1e6675b9fad4e4be90ca179129b21e6fb1e516c584ed0953793aa998bbdbd8eb60a506b32e8f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\JRE Test.lnkMD5
2993bdd43de8cf9d200f5dfe48342be1
SHA16b1346438f7b059f3f9512ce4034daac89b63c49
SHA2565c7a77706fc64962d4b7c8b7065d095314fbbd094ab0bf2b1d1b54a4060dc6e9
SHA5127e8a4bfdd8710a74bd82f6ecf8e4c332e430a4d981f8de475f48a2364095247f362c028b49cb6aa99cda13d7316571dbaf026ff4f07c2a238f4e30f7dd61ccc3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\Uninstall.lnkMD5
25ab4eea1cb84678649ef5b68aaa095a
SHA1c8ab413409e8ff0cbf632a83a14970b5002358c9
SHA256d0789a4edf60d327edb3f5571da2ae80a6fc57ba4e746ebcb12b58725e674cbf
SHA512ddf80d4499e935c70ac770b93034d7e1820fe3b90313ae13ff4912a857cb52b5309589b4ee252cd0815d65a1631e70bd701568b82fa0c3c7c67c5899ebb9a81d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\Uninstall.lnkMD5
1eaaa5152192006b8d6b4cb50d6b6de8
SHA18badd53ecf73e0ef4f50a2b15bf1b82492506462
SHA256faa67fa75628f8f8418378cd6a276e6e78a7331ea7290c3e0db15140c235ec40
SHA512de86a5a102b4ee1c4d608c9912fbbb63e426c2e6c2ed022672131a8a8a95f123058fda851fe53ea7dd06888ebc9719f782ba0ccd8c2d538ff65ea66e4688a5d2
-
\Users\Admin\AppData\Local\Temp\nso43F5.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nsx72B6.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/904-11-0x0000000000000000-mapping.dmp
-
memory/1720-13-0x0000000000000000-mapping.dmp
-
memory/2240-14-0x0000000000405680-mapping.dmp
-
memory/4076-5-0x0000000000000000-mapping.dmp
-
memory/4344-6-0x0000000000000000-mapping.dmp
-
memory/4348-4-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4348-3-0x0000000000405680-mapping.dmp
-
memory/4396-10-0x0000000000000000-mapping.dmp