Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-04-2021 19:51
Static task
static1
Behavioral task
behavioral1
Sample
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe
Resource
win10v20201028
General
-
Target
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe
-
Size
34KB
-
MD5
67d32736c5e1300c21329f956da836ab
-
SHA1
15c705cc01650bbf0db7bd0229edadb5f4ee9cf7
-
SHA256
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49
-
SHA512
33ec980170d703e43d67dbad2c1fef5855020291e139aa7e7bb1c96d446d27b7f187910df10bf183de86b882ffdd9dbc30715eafe74ae24edba4341fbcfa7eb8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
revilsupport@privatemail.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 848 created 1404 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 4036 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\GetRestart.tiff bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Users\Admin\Pictures\RegisterShow.tiff bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_24x24x32.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookIconFirstRunCalendar.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.ps1 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.scale-100.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-125.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.Tests.ps1 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\worried.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\readme-warning.txt bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\readme-warning.txt bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\README.txt bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rectangle_icon.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\19.jpg bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-150.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\js\startup.js bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_6_Point_Star.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-200.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.ps1 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeGreaterThan.snippets.ps1xml bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\readme-warning.txt bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\readme-warning.txt bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\resources.pri bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_40x40x32.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-400.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\rcypaper.jpg bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\no_60x42.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-100.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\ui-strings.js bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme-warning.txt bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.scale-125.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3838_24x24x32.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-125.png bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 508 3024 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 928 vssadmin.exe -
Modifies registry class 30 IoCs
Processes:
SearchUI.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010004000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50704004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000010da18f50a28d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50704004600630072006e0078007200650066003a00200036003700250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff73ae2078e323294282c1e41cb67d5b9c00000000000000000000000073fa26dc59add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe -
Processes:
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exeWerFault.exepid process 1404 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe 1404 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe 508 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exeWerFault.exeexplorer.exedescription pid process Token: SeTcbPrivilege 848 svchost.exe Token: SeTcbPrivilege 848 svchost.exe Token: SeBackupPrivilege 3296 vssvc.exe Token: SeRestorePrivilege 3296 vssvc.exe Token: SeAuditPrivilege 3296 vssvc.exe Token: SeBackupPrivilege 1300 wbengine.exe Token: SeRestorePrivilege 1300 wbengine.exe Token: SeSecurityPrivilege 1300 wbengine.exe Token: SeIncreaseQuotaPrivilege 2324 WMIC.exe Token: SeSecurityPrivilege 2324 WMIC.exe Token: SeTakeOwnershipPrivilege 2324 WMIC.exe Token: SeLoadDriverPrivilege 2324 WMIC.exe Token: SeSystemProfilePrivilege 2324 WMIC.exe Token: SeSystemtimePrivilege 2324 WMIC.exe Token: SeProfSingleProcessPrivilege 2324 WMIC.exe Token: SeIncBasePriorityPrivilege 2324 WMIC.exe Token: SeCreatePagefilePrivilege 2324 WMIC.exe Token: SeBackupPrivilege 2324 WMIC.exe Token: SeRestorePrivilege 2324 WMIC.exe Token: SeShutdownPrivilege 2324 WMIC.exe Token: SeDebugPrivilege 2324 WMIC.exe Token: SeSystemEnvironmentPrivilege 2324 WMIC.exe Token: SeRemoteShutdownPrivilege 2324 WMIC.exe Token: SeUndockPrivilege 2324 WMIC.exe Token: SeManageVolumePrivilege 2324 WMIC.exe Token: 33 2324 WMIC.exe Token: 34 2324 WMIC.exe Token: 35 2324 WMIC.exe Token: 36 2324 WMIC.exe Token: SeIncreaseQuotaPrivilege 2324 WMIC.exe Token: SeSecurityPrivilege 2324 WMIC.exe Token: SeTakeOwnershipPrivilege 2324 WMIC.exe Token: SeLoadDriverPrivilege 2324 WMIC.exe Token: SeSystemProfilePrivilege 2324 WMIC.exe Token: SeSystemtimePrivilege 2324 WMIC.exe Token: SeProfSingleProcessPrivilege 2324 WMIC.exe Token: SeIncBasePriorityPrivilege 2324 WMIC.exe Token: SeCreatePagefilePrivilege 2324 WMIC.exe Token: SeBackupPrivilege 2324 WMIC.exe Token: SeRestorePrivilege 2324 WMIC.exe Token: SeShutdownPrivilege 2324 WMIC.exe Token: SeDebugPrivilege 2324 WMIC.exe Token: SeSystemEnvironmentPrivilege 2324 WMIC.exe Token: SeRemoteShutdownPrivilege 2324 WMIC.exe Token: SeUndockPrivilege 2324 WMIC.exe Token: SeManageVolumePrivilege 2324 WMIC.exe Token: 33 2324 WMIC.exe Token: 34 2324 WMIC.exe Token: 35 2324 WMIC.exe Token: 36 2324 WMIC.exe Token: SeDebugPrivilege 508 WerFault.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeCreatePagefilePrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeCreatePagefilePrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeCreatePagefilePrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeCreatePagefilePrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeCreatePagefilePrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeCreatePagefilePrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
Processes:
explorer.exepid process 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
Processes:
explorer.exepid process 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ShellExperienceHost.exeSearchUI.exepid process 1344 ShellExperienceHost.exe 3696 SearchUI.exe 1344 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
svchost.exebc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.execmd.exedescription pid process target process PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 848 wrote to memory of 2924 848 svchost.exe bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe PID 1404 wrote to memory of 1220 1404 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe cmd.exe PID 1404 wrote to memory of 1220 1404 bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe cmd.exe PID 1220 wrote to memory of 928 1220 cmd.exe vssadmin.exe PID 1220 wrote to memory of 928 1220 cmd.exe vssadmin.exe PID 1220 wrote to memory of 4036 1220 cmd.exe wbadmin.exe PID 1220 wrote to memory of 4036 1220 cmd.exe wbadmin.exe PID 1220 wrote to memory of 2324 1220 cmd.exe WMIC.exe PID 1220 wrote to memory of 2324 1220 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe"C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe"C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.bin.exe" n14042⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3024 -s 57921⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.dbMD5
10a2578de9cf5ce9447134d7cc2f709c
SHA1aa9609729e3875afdb2f2ac98f062c56a45be914
SHA2560cef33b157a569cd6e0f1ea469866c5bac74cb4c554b50016a89e16b4a8e1629
SHA512e4f8f885d79ebc51410e9ad63d7ff19dde0dbca946eabf96f833c2e3622f9de8e32d3fc5cccfcf90f43d1b6e6d2fd34e06c138fd4f73b81ae56aa2aabf1bd651
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.dbMD5
d2e888c9bf85f20ca2b37967d4f1915f
SHA1989a924854880168a423c4f8cefb23baef47187a
SHA25645ab2c042c2b2bb3bd73c21f7f333712caaf7f939a17e1834c440b13a957bbfe
SHA512c291b0a4a8012c884bc71d1c32aa2a35f83b210fd9f2384b7a12bab0c3432cc9e577e4097fc7053074fbffc88499e059614972ece78089817ca018a06458ede0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.dbMD5
74e4903504a6d49d4534fe21d09aec9d
SHA1bc84a7ce0f5f24108339d904fd06fdc9b60a1580
SHA25642901e8e3b83f147c9da0da0dd254d51afe9fec23456a2ea2cab89e9f3a7a59c
SHA512d6ee29de5b23d5c7acdabe0706e15109c3c6dfd0810fc32a628206c36a0f0385413b734589fab3cb813b8516be92a384031cb79f6e0820bf5a40f6c06272ce1b
-
C:\Users\Admin\AppData\Local\Temp\WER95BB.tmp.appcompat.txtMD5
5dfb4126dfc2ad3ad267716d0bd8b264
SHA163d66f6ccf5593f200c2d7b151d99515788398af
SHA2563bf1a189a068aa7eee9d64e5300565435c9bff4d5568437c0084c79d105c9db2
SHA512c5608e45c2fa6ac2d0e27be3e3e8c2979c73416dfb72f705cfa7980794bf3089f6c09b41ebf0d9a89a14903ecf1e4ce72ff202d80e7abb4c291edde315829e07
-
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER93B5.tmp.WERInternalMetadata.xmlMD5
54563ff3f923caf6b0f8d42244f41add
SHA1b46e0ea952e2b31b905c48bc625526659a78be9c
SHA25699dde43553c672b1c22e9701b89b5574a94a98d0c9318645aff6db2fc0a1d2d9
SHA512f57b24ccb49043224975d3c048aa300e14f626f4ed01e0a6c8ea88df1b6f7b60a10aad44b0b245cef23c0de9391fdc6da15c8b643fba3e9b4280218ebd92b559
-
memory/508-7-0x0000024CDD7D0000-0x0000024CDD7D1000-memory.dmpFilesize
4KB
-
memory/508-8-0x0000024CDD7D0000-0x0000024CDD7D1000-memory.dmpFilesize
4KB
-
memory/928-4-0x0000000000000000-mapping.dmp
-
memory/1220-3-0x0000000000000000-mapping.dmp
-
memory/2324-6-0x0000000000000000-mapping.dmp
-
memory/2924-2-0x0000000000000000-mapping.dmp
-
memory/4036-5-0x0000000000000000-mapping.dmp