Analysis
-
max time kernel
360s -
max time network
434s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-03-2021 22:02
Static task
static1
Behavioral task
behavioral1
Sample
Attachment.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Attachment.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Attachment.bin.exe
Resource
win10v20201028
General
-
Target
Attachment.bin.exe
-
Size
34KB
-
MD5
12bf7cd0edc70cb548c8ea7a16bfcac2
-
SHA1
c0c757896c8db32e2e92492f98dd86c481cd70cf
-
SHA256
d64a2e8e21b9dd345095cbbe7a32ef47ac3d33012d350b9ec198db3838ca5eaa
-
SHA512
fb97406f687aa3e15003b192f83222712bf35daa0dbab36d0a49e63dc3eea1e3bfb66faff530a1f3b1d193e8f1862a002304629593b4414c9962f2c55e51cf22
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\771456631\readme-warning.txt
makop
tuzadiea@msgsafe.io
gudixaxa@yahooweb.co
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4928 created 4636 4928 svchost.exe Attachment.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 3668 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Attachment.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DisconnectResize.tiff Attachment.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
Attachment.bin.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72.png Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\cork.jpg Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\readme-warning.txt Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\readme-warning.txt Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-200.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-white.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.sad.small.scale-150.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-200.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page3.jpg Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-100.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d3.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js Attachment.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\FolderOrganizationCalloutImage.gif Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-400.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-125.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluCCFilesEmpty_180x180.svg Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg Attachment.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page1.jpg Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms Attachment.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldExist.snippets.ps1xml Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms Attachment.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-white.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80.png Attachment.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1s.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-2x.png Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar Attachment.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\paper_indiarough_512x512_nm.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-125.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-48_contrast-black.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-400.png Attachment.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml Attachment.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms Attachment.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\readme-warning.txt Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png Attachment.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-32.png Attachment.bin.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2200 vssadmin.exe -
Processes:
Attachment.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Attachment.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Attachment.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Attachment.bin.exepid process 4636 Attachment.bin.exe 4636 Attachment.bin.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 4928 svchost.exe Token: SeTcbPrivilege 4928 svchost.exe Token: SeBackupPrivilege 1824 vssvc.exe Token: SeRestorePrivilege 1824 vssvc.exe Token: SeAuditPrivilege 1824 vssvc.exe Token: SeBackupPrivilege 2624 wbengine.exe Token: SeRestorePrivilege 2624 wbengine.exe Token: SeSecurityPrivilege 2624 wbengine.exe Token: SeIncreaseQuotaPrivilege 3304 WMIC.exe Token: SeSecurityPrivilege 3304 WMIC.exe Token: SeTakeOwnershipPrivilege 3304 WMIC.exe Token: SeLoadDriverPrivilege 3304 WMIC.exe Token: SeSystemProfilePrivilege 3304 WMIC.exe Token: SeSystemtimePrivilege 3304 WMIC.exe Token: SeProfSingleProcessPrivilege 3304 WMIC.exe Token: SeIncBasePriorityPrivilege 3304 WMIC.exe Token: SeCreatePagefilePrivilege 3304 WMIC.exe Token: SeBackupPrivilege 3304 WMIC.exe Token: SeRestorePrivilege 3304 WMIC.exe Token: SeShutdownPrivilege 3304 WMIC.exe Token: SeDebugPrivilege 3304 WMIC.exe Token: SeSystemEnvironmentPrivilege 3304 WMIC.exe Token: SeRemoteShutdownPrivilege 3304 WMIC.exe Token: SeUndockPrivilege 3304 WMIC.exe Token: SeManageVolumePrivilege 3304 WMIC.exe Token: 33 3304 WMIC.exe Token: 34 3304 WMIC.exe Token: 35 3304 WMIC.exe Token: 36 3304 WMIC.exe Token: SeIncreaseQuotaPrivilege 3304 WMIC.exe Token: SeSecurityPrivilege 3304 WMIC.exe Token: SeTakeOwnershipPrivilege 3304 WMIC.exe Token: SeLoadDriverPrivilege 3304 WMIC.exe Token: SeSystemProfilePrivilege 3304 WMIC.exe Token: SeSystemtimePrivilege 3304 WMIC.exe Token: SeProfSingleProcessPrivilege 3304 WMIC.exe Token: SeIncBasePriorityPrivilege 3304 WMIC.exe Token: SeCreatePagefilePrivilege 3304 WMIC.exe Token: SeBackupPrivilege 3304 WMIC.exe Token: SeRestorePrivilege 3304 WMIC.exe Token: SeShutdownPrivilege 3304 WMIC.exe Token: SeDebugPrivilege 3304 WMIC.exe Token: SeSystemEnvironmentPrivilege 3304 WMIC.exe Token: SeRemoteShutdownPrivilege 3304 WMIC.exe Token: SeUndockPrivilege 3304 WMIC.exe Token: SeManageVolumePrivilege 3304 WMIC.exe Token: 33 3304 WMIC.exe Token: 34 3304 WMIC.exe Token: 35 3304 WMIC.exe Token: 36 3304 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
svchost.exeAttachment.bin.execmd.exedescription pid process target process PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4928 wrote to memory of 4984 4928 svchost.exe Attachment.bin.exe PID 4636 wrote to memory of 5028 4636 Attachment.bin.exe cmd.exe PID 4636 wrote to memory of 5028 4636 Attachment.bin.exe cmd.exe PID 5028 wrote to memory of 2200 5028 cmd.exe vssadmin.exe PID 5028 wrote to memory of 2200 5028 cmd.exe vssadmin.exe PID 5028 wrote to memory of 3668 5028 cmd.exe wbadmin.exe PID 5028 wrote to memory of 3668 5028 cmd.exe wbadmin.exe PID 5028 wrote to memory of 3304 5028 cmd.exe WMIC.exe PID 5028 wrote to memory of 3304 5028 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe"C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe"C:\Users\Admin\AppData\Local\Temp\Attachment.bin.exe" n46362⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)