Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-03-2021 09:49
Static task
static1
Behavioral task
behavioral1
Sample
Fat32Formatter.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Fat32Formatter.exe
Resource
win10v20201028
General
-
Target
Fat32Formatter.exe
-
Size
286KB
-
MD5
fc080ffd9e95c2d8694a139e84c673ef
-
SHA1
195c3e7ce30b55d52b7e4bdca74613e2c9f7c16b
-
SHA256
c5645239e94a63f672ce815de8a5f11c642ad0fdafe7ab0091807f7e286e3bfd
-
SHA512
c969b8af4169d07653111ab31f4b4b4c5dc9582fe8e2de0e3986e9a5b2eca288751bbe57880b5adb6f2adfb1aac1c254314765abbc18be59877c6d526b2c56a2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
pecunia0318@airmail.cc
pecunia0318@goat.si
pecunia0318@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1056 wbadmin.exe -
Loads dropped DLL 2 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exepid process 1616 Fat32Formatter.exe 1864 Fat32Formatter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exedescription pid process target process PID 1616 set thread context of 1748 1616 Fat32Formatter.exe Fat32Formatter.exe PID 1864 set thread context of 1572 1864 Fat32Formatter.exe Fat32Formatter.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Fat32Formatter.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.INF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.DPV Fat32Formatter.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml Fat32Formatter.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH1.POC Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216874.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms Fat32Formatter.exe File created C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTEL.ICO Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18226_.WMF Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01590_.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Opulent.eftx Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF Fat32Formatter.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar Fat32Formatter.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar Fat32Formatter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32B.GIF Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\LAUNCH.GIF Fat32Formatter.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml Fat32Formatter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png Fat32Formatter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia Fat32Formatter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MST7MDT Fat32Formatter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml Fat32Formatter.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\readme-warning.txt Fat32Formatter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216516.WMF Fat32Formatter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1360 vssadmin.exe -
Processes:
Fat32Formatter.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Fat32Formatter.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Fat32Formatter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Fat32Formatter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Fat32Formatter.exepid process 1748 Fat32Formatter.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.exepid process 1616 Fat32Formatter.exe 1864 Fat32Formatter.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1688 vssvc.exe Token: SeRestorePrivilege 1688 vssvc.exe Token: SeAuditPrivilege 1688 vssvc.exe Token: SeBackupPrivilege 828 wbengine.exe Token: SeRestorePrivilege 828 wbengine.exe Token: SeSecurityPrivilege 828 wbengine.exe Token: SeIncreaseQuotaPrivilege 1648 WMIC.exe Token: SeSecurityPrivilege 1648 WMIC.exe Token: SeTakeOwnershipPrivilege 1648 WMIC.exe Token: SeLoadDriverPrivilege 1648 WMIC.exe Token: SeSystemProfilePrivilege 1648 WMIC.exe Token: SeSystemtimePrivilege 1648 WMIC.exe Token: SeProfSingleProcessPrivilege 1648 WMIC.exe Token: SeIncBasePriorityPrivilege 1648 WMIC.exe Token: SeCreatePagefilePrivilege 1648 WMIC.exe Token: SeBackupPrivilege 1648 WMIC.exe Token: SeRestorePrivilege 1648 WMIC.exe Token: SeShutdownPrivilege 1648 WMIC.exe Token: SeDebugPrivilege 1648 WMIC.exe Token: SeSystemEnvironmentPrivilege 1648 WMIC.exe Token: SeRemoteShutdownPrivilege 1648 WMIC.exe Token: SeUndockPrivilege 1648 WMIC.exe Token: SeManageVolumePrivilege 1648 WMIC.exe Token: 33 1648 WMIC.exe Token: 34 1648 WMIC.exe Token: 35 1648 WMIC.exe Token: SeIncreaseQuotaPrivilege 1648 WMIC.exe Token: SeSecurityPrivilege 1648 WMIC.exe Token: SeTakeOwnershipPrivilege 1648 WMIC.exe Token: SeLoadDriverPrivilege 1648 WMIC.exe Token: SeSystemProfilePrivilege 1648 WMIC.exe Token: SeSystemtimePrivilege 1648 WMIC.exe Token: SeProfSingleProcessPrivilege 1648 WMIC.exe Token: SeIncBasePriorityPrivilege 1648 WMIC.exe Token: SeCreatePagefilePrivilege 1648 WMIC.exe Token: SeBackupPrivilege 1648 WMIC.exe Token: SeRestorePrivilege 1648 WMIC.exe Token: SeShutdownPrivilege 1648 WMIC.exe Token: SeDebugPrivilege 1648 WMIC.exe Token: SeSystemEnvironmentPrivilege 1648 WMIC.exe Token: SeRemoteShutdownPrivilege 1648 WMIC.exe Token: SeUndockPrivilege 1648 WMIC.exe Token: SeManageVolumePrivilege 1648 WMIC.exe Token: 33 1648 WMIC.exe Token: 34 1648 WMIC.exe Token: 35 1648 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Fat32Formatter.exeFat32Formatter.execmd.exeFat32Formatter.exedescription pid process target process PID 1616 wrote to memory of 1748 1616 Fat32Formatter.exe Fat32Formatter.exe PID 1616 wrote to memory of 1748 1616 Fat32Formatter.exe Fat32Formatter.exe PID 1616 wrote to memory of 1748 1616 Fat32Formatter.exe Fat32Formatter.exe PID 1616 wrote to memory of 1748 1616 Fat32Formatter.exe Fat32Formatter.exe PID 1616 wrote to memory of 1748 1616 Fat32Formatter.exe Fat32Formatter.exe PID 1748 wrote to memory of 1708 1748 Fat32Formatter.exe cmd.exe PID 1748 wrote to memory of 1708 1748 Fat32Formatter.exe cmd.exe PID 1748 wrote to memory of 1708 1748 Fat32Formatter.exe cmd.exe PID 1748 wrote to memory of 1708 1748 Fat32Formatter.exe cmd.exe PID 1708 wrote to memory of 1360 1708 cmd.exe vssadmin.exe PID 1708 wrote to memory of 1360 1708 cmd.exe vssadmin.exe PID 1708 wrote to memory of 1360 1708 cmd.exe vssadmin.exe PID 1708 wrote to memory of 1056 1708 cmd.exe wbadmin.exe PID 1708 wrote to memory of 1056 1708 cmd.exe wbadmin.exe PID 1708 wrote to memory of 1056 1708 cmd.exe wbadmin.exe PID 1708 wrote to memory of 1648 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1648 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1648 1708 cmd.exe WMIC.exe PID 1864 wrote to memory of 1572 1864 Fat32Formatter.exe Fat32Formatter.exe PID 1864 wrote to memory of 1572 1864 Fat32Formatter.exe Fat32Formatter.exe PID 1864 wrote to memory of 1572 1864 Fat32Formatter.exe Fat32Formatter.exe PID 1864 wrote to memory of 1572 1864 Fat32Formatter.exe Fat32Formatter.exe PID 1864 wrote to memory of 1572 1864 Fat32Formatter.exe Fat32Formatter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"2⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n17483⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n17484⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\642959740MD5
f871009b43cdcd41fbd082ef1427cee1
SHA1fb26b9ac01c665f4d6c81246c1c7a65fe28e8f81
SHA25660cd1ee1c914bc80f210e32d976cb723339dd4e138649fe91d026d74553a1bae
SHA51276f1fd1774275b72c11b3fecd967473db7f34fb302148ceae99c4666fe8f7cd2e5eb2bf5551d5d45967fb2625c7229729380d9777825d6fc54afe7930dbc3788
-
C:\Users\Admin\AppData\Roaming\642959740MD5
1c93c746eb32d59e7b328414a369c756
SHA1b7f283312f8a7f3bd9cac6de9d0372d45ae35488
SHA256d693c0a584114278c3461f6a986f0c5855da41135ec6aac3d4e2c8b6b879be49
SHA512dd805d8c8ee98f6f3aa0711b5a77f983d205a24fe36353a242bcd8756c1f084888fcb6b0583aa660d46e21767f28b237a62d5aa4980b441c5ff40fdbd6be41ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkMD5
4a423f24376f0e23ae40eaadb795b426
SHA10d79f944b142df0c776d97f19a6f25b173ffc0ed
SHA256dde746b8cdffa4f08bb316e291d938a2ac4810462b45336a77e677f331054f40
SHA512d141bf56340bd64594335d2edb9e9cc184ea7faddb44233c4b4cbf9809c0ddb101de14c827c6615fb23ae09401b752412f3e987472d9ef4454964fb46791011d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkMD5
990189cbaf8ce39a2c947a8014193c5f
SHA1aaf09c79bbd2673558823ea81e645ef6331e0f31
SHA256e8c21151679a76f1c04c9fd849a43fe3218c1a81401b781a840a234c5023f733
SHA512a7124b1e8f08cd6bcfae8e8a457308aecb92aa3bf9c32f3b4072f13a9e67dc2596ed0a20eeb3f220f1cbbae5d47dbf67c908dd66a4a53c07fc0e175b916b51ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
a21219cef9c728aec8d36768d0a2fbfc
SHA14cfffe24f8e23cbcaa2c7defba3b125f13d11758
SHA256d03d0ffe38581c2a649b6eafde931c1a65547b41e8f9d0f3cd3579aa9d0df51f
SHA5124215cf0ae52386a4afbc0341bdd0a5aa9324c654bbceb1396cd0a1568994c1277352b6fb06ade0ae299b657d2e9d11008d17e3c8eec4204c360f656a951da9da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
70af53cdfa9fa470d4cf604c689f2b96
SHA131314819496b69f5ce8aebbb0617cc2592be00d4
SHA2562c95b132e1134656a9d2adf17ed9e98cec17c01818fa1db8d48f5f12748c0ddd
SHA512cb3b8716bf0081c7580a046cd33b4049513b0b1f037bdc3c976db2ff2ea0e5cdbfdfe65d1ac9dad24511f89b3146cf7dc1debca1726c07904976a966d4722daa
-
\Users\Admin\AppData\Local\Temp\nsiD615.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nssAF05.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/1056-14-0x0000000000000000-mapping.dmp
-
memory/1056-15-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1360-11-0x0000000000000000-mapping.dmp
-
memory/1572-17-0x0000000000405680-mapping.dmp
-
memory/1584-23-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1616-2-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1648-16-0x0000000000000000-mapping.dmp
-
memory/1708-6-0x0000000000000000-mapping.dmp
-
memory/1748-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1748-4-0x0000000000405680-mapping.dmp