Analysis
-
max time kernel
36s -
max time network
38s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-03-2021 22:02
Static task
static1
Behavioral task
behavioral1
Sample
Attachment.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Attachment.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Attachment.bin.exe
Resource
win10v20201028
General
-
Target
Attachment.bin.exe
-
Size
34KB
-
MD5
12bf7cd0edc70cb548c8ea7a16bfcac2
-
SHA1
c0c757896c8db32e2e92492f98dd86c481cd70cf
-
SHA256
d64a2e8e21b9dd345095cbbe7a32ef47ac3d33012d350b9ec198db3838ca5eaa
-
SHA512
fb97406f687aa3e15003b192f83222712bf35daa0dbab36d0a49e63dc3eea1e3bfb66faff530a1f3b1d193e8f1862a002304629593b4414c9962f2c55e51cf22
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\940489315\readme-warning.txt
makop
tuzadiea@msgsafe.io
gudixaxa@yahooweb.co
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3844 created 1156 3844 svchost.exe Attachment.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 216 wbadmin.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Attachment.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConfirmOpen.tiff Attachment.bin.exe File opened for modification C:\Users\Admin\Pictures\ConnectStep.tiff Attachment.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertRestore.tiff Attachment.bin.exe File opened for modification C:\Users\Admin\Pictures\ReadUndo.tiff Attachment.bin.exe File opened for modification C:\Users\Admin\Pictures\RenameLock.tiff Attachment.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
Attachment.bin.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObjectInstanced.fx Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6536_24x24x32.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-125.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-150.png Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H Attachment.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1251_72x72x32.png Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\na_60x42.png Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sh_16x11.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-100.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo_2x.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Describe.ps1 Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\at_60x42.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-400.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF Attachment.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200_contrast-high.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Kiss.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bandit.png Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-100_contrast-black.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\LargeTile.scale-100.png Attachment.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml Attachment.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Hard.png Attachment.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\readme-warning.txt Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR Attachment.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\1d.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-40.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-150.png Attachment.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256_altform-unplated.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-200.png Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\tmi.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-200.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\readme-warning.txt Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-125.png Attachment.bin.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3088 vssadmin.exe -
Processes:
Attachment.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Attachment.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Attachment.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Attachment.bin.exepid process 1156 Attachment.bin.exe 1156 Attachment.bin.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 3844 svchost.exe Token: SeTcbPrivilege 3844 svchost.exe Token: SeBackupPrivilege 3412 vssvc.exe Token: SeRestorePrivilege 3412 vssvc.exe Token: SeAuditPrivilege 3412 vssvc.exe Token: SeBackupPrivilege 3232 wbengine.exe Token: SeRestorePrivilege 3232 wbengine.exe Token: SeSecurityPrivilege 3232 wbengine.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe Token: SeSystemProfilePrivilege 1604 WMIC.exe Token: SeSystemtimePrivilege 1604 WMIC.exe Token: SeProfSingleProcessPrivilege 1604 WMIC.exe Token: SeIncBasePriorityPrivilege 1604 WMIC.exe Token: SeCreatePagefilePrivilege 1604 WMIC.exe Token: SeBackupPrivilege 1604 WMIC.exe Token: SeRestorePrivilege 1604 WMIC.exe Token: SeShutdownPrivilege 1604 WMIC.exe Token: SeDebugPrivilege 1604 WMIC.exe Token: SeSystemEnvironmentPrivilege 1604 WMIC.exe Token: SeRemoteShutdownPrivilege 1604 WMIC.exe Token: SeUndockPrivilege 1604 WMIC.exe Token: SeManageVolumePrivilege 1604 WMIC.exe Token: 33 1604 WMIC.exe Token: 34 1604 WMIC.exe Token: 35 1604 WMIC.exe Token: 36 1604 WMIC.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe Token: SeSystemProfilePrivilege 1604 WMIC.exe Token: SeSystemtimePrivilege 1604 WMIC.exe Token: SeProfSingleProcessPrivilege 1604 WMIC.exe Token: SeIncBasePriorityPrivilege 1604 WMIC.exe Token: SeCreatePagefilePrivilege 1604 WMIC.exe Token: SeBackupPrivilege 1604 WMIC.exe Token: SeRestorePrivilege 1604 WMIC.exe Token: SeShutdownPrivilege 1604 WMIC.exe Token: SeDebugPrivilege 1604 WMIC.exe Token: SeSystemEnvironmentPrivilege 1604 WMIC.exe Token: SeRemoteShutdownPrivilege 1604 WMIC.exe Token: SeUndockPrivilege 1604 WMIC.exe Token: SeManageVolumePrivilege 1604 WMIC.exe Token: 33 1604 WMIC.exe Token: 34 1604 WMIC.exe Token: 35 1604 WMIC.exe Token: 36 1604 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
svchost.exeAttachment.bin.execmd.exedescription pid process target process PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 3844 wrote to memory of 4076 3844 svchost.exe Attachment.bin.exe PID 1156 wrote to memory of 3524 1156 Attachment.bin.exe cmd.exe PID 1156 wrote to memory of 3524 1156 Attachment.bin.exe cmd.exe PID 3524 wrote to memory of 3088 3524 cmd.exe vssadmin.exe PID 3524 wrote to memory of 3088 3524 cmd.exe vssadmin.exe PID 3524 wrote to memory of 216 3524 cmd.exe wbadmin.exe PID 3524 wrote to memory of 216 3524 cmd.exe wbadmin.exe PID 3524 wrote to memory of 1604 3524 cmd.exe WMIC.exe PID 3524 wrote to memory of 1604 3524 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe"C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe"C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe" n11562⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)