Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 17:26
Static task
static1
Behavioral task
behavioral1
Sample
March 4.scr.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
March 4.scr.exe
Resource
win10v20201028
General
-
Target
March 4.scr.exe
-
Size
812KB
-
MD5
5181f541a6d97bab854d5eba326ea7d9
-
SHA1
16d9967a2658ac765d7acbea18c556b927b810be
-
SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
-
SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
filescrp@420blaze.it
filescrp@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
spoolsv.exespoolsv.exepid process 1348 spoolsv.exe 2292 spoolsv.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2844 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
March 4.scr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run March 4.scr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start" March 4.scr.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
spoolsv.exedescription ioc process File opened (read-only) \??\I: spoolsv.exe File opened (read-only) \??\X: spoolsv.exe File opened (read-only) \??\V: spoolsv.exe File opened (read-only) \??\Q: spoolsv.exe File opened (read-only) \??\P: spoolsv.exe File opened (read-only) \??\O: spoolsv.exe File opened (read-only) \??\K: spoolsv.exe File opened (read-only) \??\J: spoolsv.exe File opened (read-only) \??\T: spoolsv.exe File opened (read-only) \??\S: spoolsv.exe File opened (read-only) \??\R: spoolsv.exe File opened (read-only) \??\N: spoolsv.exe File opened (read-only) \??\M: spoolsv.exe File opened (read-only) \??\L: spoolsv.exe File opened (read-only) \??\F: spoolsv.exe File opened (read-only) \??\Y: spoolsv.exe File opened (read-only) \??\E: spoolsv.exe File opened (read-only) \??\B: spoolsv.exe File opened (read-only) \??\A: spoolsv.exe File opened (read-only) \??\Z: spoolsv.exe File opened (read-only) \??\W: spoolsv.exe File opened (read-only) \??\U: spoolsv.exe File opened (read-only) \??\H: spoolsv.exe File opened (read-only) \??\G: spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
spoolsv.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.43E-34E-563 spoolsv.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\CompareGroup.i64 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms spoolsv.exe File opened for modification C:\Program Files\7-Zip\History.txt spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-actions.xml spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.43E-34E-563 spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.43E-34E-563 spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3504 vssadmin.exe 652 vssadmin.exe -
Processes:
March 4.scr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 March 4.scr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e March 4.scr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
March 4.scr.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 828 March 4.scr.exe Token: SeDebugPrivilege 828 March 4.scr.exe Token: SeIncreaseQuotaPrivilege 524 WMIC.exe Token: SeSecurityPrivilege 524 WMIC.exe Token: SeTakeOwnershipPrivilege 524 WMIC.exe Token: SeLoadDriverPrivilege 524 WMIC.exe Token: SeSystemProfilePrivilege 524 WMIC.exe Token: SeSystemtimePrivilege 524 WMIC.exe Token: SeProfSingleProcessPrivilege 524 WMIC.exe Token: SeIncBasePriorityPrivilege 524 WMIC.exe Token: SeCreatePagefilePrivilege 524 WMIC.exe Token: SeBackupPrivilege 524 WMIC.exe Token: SeRestorePrivilege 524 WMIC.exe Token: SeShutdownPrivilege 524 WMIC.exe Token: SeDebugPrivilege 524 WMIC.exe Token: SeSystemEnvironmentPrivilege 524 WMIC.exe Token: SeRemoteShutdownPrivilege 524 WMIC.exe Token: SeUndockPrivilege 524 WMIC.exe Token: SeManageVolumePrivilege 524 WMIC.exe Token: 33 524 WMIC.exe Token: 34 524 WMIC.exe Token: 35 524 WMIC.exe Token: 36 524 WMIC.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe Token: SeDebugPrivilege 2772 WMIC.exe Token: SeSystemEnvironmentPrivilege 2772 WMIC.exe Token: SeRemoteShutdownPrivilege 2772 WMIC.exe Token: SeUndockPrivilege 2772 WMIC.exe Token: SeManageVolumePrivilege 2772 WMIC.exe Token: 33 2772 WMIC.exe Token: 34 2772 WMIC.exe Token: 35 2772 WMIC.exe Token: 36 2772 WMIC.exe Token: SeBackupPrivilege 1696 vssvc.exe Token: SeRestorePrivilege 1696 vssvc.exe Token: SeAuditPrivilege 1696 vssvc.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncreaseQuotaPrivilege 524 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 524 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 524 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 524 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 524 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
March 4.scr.exespoolsv.execmd.execmd.execmd.exedescription pid process target process PID 828 wrote to memory of 1348 828 March 4.scr.exe spoolsv.exe PID 828 wrote to memory of 1348 828 March 4.scr.exe spoolsv.exe PID 828 wrote to memory of 1348 828 March 4.scr.exe spoolsv.exe PID 828 wrote to memory of 2844 828 March 4.scr.exe notepad.exe PID 828 wrote to memory of 2844 828 March 4.scr.exe notepad.exe PID 828 wrote to memory of 2844 828 March 4.scr.exe notepad.exe PID 828 wrote to memory of 2844 828 March 4.scr.exe notepad.exe PID 828 wrote to memory of 2844 828 March 4.scr.exe notepad.exe PID 828 wrote to memory of 2844 828 March 4.scr.exe notepad.exe PID 1348 wrote to memory of 1480 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 1480 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 1480 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 3932 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 3932 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 3932 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 360 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 360 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 360 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2348 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2348 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2348 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2308 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2308 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2308 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 3128 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 3128 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 3128 1348 spoolsv.exe cmd.exe PID 1348 wrote to memory of 2292 1348 spoolsv.exe spoolsv.exe PID 1348 wrote to memory of 2292 1348 spoolsv.exe spoolsv.exe PID 1348 wrote to memory of 2292 1348 spoolsv.exe spoolsv.exe PID 2308 wrote to memory of 652 2308 cmd.exe vssadmin.exe PID 2308 wrote to memory of 652 2308 cmd.exe vssadmin.exe PID 2308 wrote to memory of 652 2308 cmd.exe vssadmin.exe PID 1480 wrote to memory of 524 1480 cmd.exe WMIC.exe PID 1480 wrote to memory of 524 1480 cmd.exe WMIC.exe PID 1480 wrote to memory of 524 1480 cmd.exe WMIC.exe PID 3128 wrote to memory of 2772 3128 cmd.exe WMIC.exe PID 3128 wrote to memory of 2772 3128 cmd.exe WMIC.exe PID 3128 wrote to memory of 2772 3128 cmd.exe WMIC.exe PID 3128 wrote to memory of 3504 3128 cmd.exe vssadmin.exe PID 3128 wrote to memory of 3504 3128 cmd.exe vssadmin.exe PID 3128 wrote to memory of 3504 3128 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\March 4.scr.exe"C:\Users\Admin\AppData\Local\Temp\March 4.scr.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
b388079096b39c202c4f06293efd160b
SHA1915f86a54d95244ae5a1cb12354efcdce9eefd1f
SHA256b50779980da5ab62a212a45640357707bdfe43e7a0b2dd1d3d6a45988be32b88
SHA5125093255fe506cf5c472fafa016fe577bee6fb4085ebe9405d62c7d4b6fcaced58c52d62a59f032e93e6f7311722693f4578e4bf0424a04b9de2b3e90071e7fbc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
ecb21e39b5b11be0a29330e1a20d696c
SHA1e5563448ca649fdc76ddef52ca636b19dc31bfcc
SHA25636dd36c96bb0f2e2fe9504d653235d44afee9edbcc8d65ac4df79a5fa27c417d
SHA5128312cd9b331eedede74b0d1f4440fe8df50b01970394c6a98575f6df8b1f0c15d1b4023eb3b34c303232eaa4587c3966d877141db83bf6bdf601957cc4a484b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
899e9694777b7b35087a51ffcc729d43
SHA18359dcd3ca4c8bde585b012ccccc84bf135d3797
SHA25698e3871c94e70237460ff3e42aef8f87b5bedfe9b85d38e699046827dadcee75
SHA5125ca781a78900afa2f192d2dfd8178997cd727444cca8b14844ea2c5cdff470cf588eb769acb60a4ffe2ebf1cfaeb02a6abfe71e674b282e01935570da190e182
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
1d694fcf12c9d5a0703156e979adc123
SHA1d8d8ca0c43e95a069add93f25dde36cf822fbc81
SHA256bc7cd45033bd23192b2b19e34ab54e2e3b4e7e3c49616865a804b7602f9b4e9f
SHA5125abedaf836818b1e725a9f2fb678472a0c838548147ef97542671191d1da02b2edf8f739323c9c96d0035ebcc6a1f74a8de2c0e0244f00059ffa82480c6e7550
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
6686218ab9240cc3e1ff265fa36c2146
SHA16bd42ac9baac42ea04b8a1092f30663e77e4592b
SHA256248e7f5c3c1e8319ef56afa2f55ee66d7bd9cac9433cb22c9c2461f474689402
SHA512b6f2e787bce2e8d33f17340a1739225e8b6bba50ccc137228b61fa18c298f59475a4a1fffd6ae08ea269c433cb83817a328a36444fd5b867384c37c2795e7c5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
695f2727d127876dfae7e25a771843a0
SHA181d7594575e1cbdf8585b9e6c01c2adfb07cd8ad
SHA256d405486ef6d4a48ab24201b92d9fde60943acda828d0f26548cf88069c3429b0
SHA5129daca59d021e79c00fd08ad905574f0b978bcc4b35076e1b64c5ea83f2ba986eeaf3e5198e4dacb2289730442bd87b53cbd0229ec5948a95f29217c1f6ae14d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\55NCNXJE.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\SAT0VDYG.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
5181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
5181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
5181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
memory/360-22-0x0000000000000000-mapping.dmp
-
memory/524-30-0x0000000000000000-mapping.dmp
-
memory/652-28-0x0000000000000000-mapping.dmp
-
memory/828-2-0x0000000007550000-0x000000000C7AC000-memory.dmpFilesize
82.4MB
-
memory/828-3-0x0000000000400000-0x000000000565C000-memory.dmpFilesize
82.4MB
-
memory/1348-10-0x0000000007400000-0x000000000C65C000-memory.dmpFilesize
82.4MB
-
memory/1348-4-0x0000000000000000-mapping.dmp
-
memory/1480-20-0x0000000000000000-mapping.dmp
-
memory/2292-26-0x0000000000000000-mapping.dmp
-
memory/2292-33-0x00000000072E0000-0x000000000C53C000-memory.dmpFilesize
82.4MB
-
memory/2308-24-0x0000000000000000-mapping.dmp
-
memory/2348-23-0x0000000000000000-mapping.dmp
-
memory/2772-31-0x0000000000000000-mapping.dmp
-
memory/2844-8-0x0000000000000000-mapping.dmp
-
memory/2844-7-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/3128-25-0x0000000000000000-mapping.dmp
-
memory/3504-32-0x0000000000000000-mapping.dmp
-
memory/3932-21-0x0000000000000000-mapping.dmp