Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-04-2021 06:06
Static task
static1
Behavioral task
behavioral1
Sample
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
Resource
win10v20210408
General
-
Target
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
-
Size
156KB
-
MD5
158a38fb23353bd53e8e9f505408ef00
-
SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498
-
SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
-
SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
EIN1R3~1:binvds.exe5NAsKj:binpid process 3460 EIN1R3~1:bin 2212 vds.exe 504 5NAsKj:bin -
Modifies extensions of user files 44 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
vds.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisableRegister.tif => C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc vds.exe File created C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc_readme vds.exe File created C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc_readme vds.exe File created C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc_readme vds.exe File renamed C:\Users\Admin\Pictures\ResetCompress.png => C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc vds.exe File renamed C:\Users\Admin\Pictures\UseOut.tif => C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc vds.exe File created C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc_readme vds.exe File created C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc_readme vds.exe File renamed C:\Users\Admin\Pictures\LimitPing.png => C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc_readme vds.exe File renamed C:\Users\Admin\Pictures\DismountFind.png => C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc vds.exe File renamed C:\Users\Admin\Pictures\HideGrant.raw => C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc_readme vds.exe File renamed C:\Users\Admin\Pictures\CheckpointClear.png => C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc vds.exe File created C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc vds.exe File renamed C:\Users\Admin\Pictures\JoinPush.crw => C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc_readme vds.exe File created C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc_readme vds.exe File created C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc vds.exe File created C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc_readme vds.exe File renamed C:\Users\Admin\Pictures\ResizeWrite.raw => C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc vds.exe File renamed C:\Users\Admin\Pictures\MoveOpen.raw => C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc vds.exe File created C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc_readme vds.exe File opened for modification C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc vds.exe File opened for modification C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc vds.exe File created C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc_readme vds.exe File renamed C:\Users\Admin\Pictures\EnterCopy.crw => C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc vds.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3984 takeown.exe 4192 icacls.exe -
Sets service image path in registry 2 TTPs
-
Windows Defender anti-emulation file check 1 TTPs
Defender's emulator always creates certain fake files which can be used to detect it.
-
Deletes itself 1 IoCs
Processes:
EIN1R3~1:binpid process 3460 EIN1R3~1:bin -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3984 takeown.exe 4192 icacls.exe -
Processes:
vds.exe5NAsKj:bin8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exeEIN1R3~1:bindescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vds.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5NAsKj:bin Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EIN1R3~1:bin -
Drops desktop.ini file(s) 1 IoCs
Processes:
vds.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI vds.exe -
Drops file in System32 directory 2 IoCs
Processes:
EIN1R3~1:bindescription ioc process File opened for modification C:\Windows\System32\vds.exe EIN1R3~1:bin File created C:\Windows\System32\vds.exe:0 EIN1R3~1:bin -
Drops file in Program Files directory 64 IoCs
Processes:
vds.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.midwestsurinc vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.midwestsurinc_readme vds.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms vds.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.ps1 vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.midwestsurinc vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.midwestsurinc_readme vds.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.midwestsurinc vds.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h vds.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb vds.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.midwestsurinc vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg.midwestsurinc_readme vds.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml vds.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF.midwestsurinc vds.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL.midwestsurinc_readme vds.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak.midwestsurinc_readme vds.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.midwestsurinc_readme vds.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.midwestsurinc_readme vds.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg.midwestsurinc vds.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.midwestsurinc vds.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png.midwestsurinc_readme vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png.midwestsurinc_readme vds.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.midwestsurinc vds.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar vds.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js.midwestsurinc vds.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar.midwestsurinc_readme vds.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 496 vssadmin.exe 808 vssadmin.exe -
NTFS ADS 2 IoCs
Processes:
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exevds.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\EIN1R3~1:bin 8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe File created C:\Users\Admin\AppData\Roaming\5NAsKj:bin vds.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vds.exepid process 2212 vds.exe 2212 vds.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vssvc.exetakeown.exevds.exedescription pid process Token: SeBackupPrivilege 4216 vssvc.exe Token: SeRestorePrivilege 4216 vssvc.exe Token: SeAuditPrivilege 4216 vssvc.exe Token: SeTakeOwnershipPrivilege 3984 takeown.exe Token: SeIncreaseQuotaPrivilege 2212 vds.exe Token: SeAssignPrimaryTokenPrivilege 2212 vds.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exeEIN1R3~1:binvds.exe5NAsKj:bindescription pid process target process PID 4656 wrote to memory of 3460 4656 8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe EIN1R3~1:bin PID 4656 wrote to memory of 3460 4656 8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe EIN1R3~1:bin PID 4656 wrote to memory of 3460 4656 8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe EIN1R3~1:bin PID 3460 wrote to memory of 496 3460 EIN1R3~1:bin vssadmin.exe PID 3460 wrote to memory of 496 3460 EIN1R3~1:bin vssadmin.exe PID 3460 wrote to memory of 3984 3460 EIN1R3~1:bin takeown.exe PID 3460 wrote to memory of 3984 3460 EIN1R3~1:bin takeown.exe PID 3460 wrote to memory of 4192 3460 EIN1R3~1:bin icacls.exe PID 3460 wrote to memory of 4192 3460 EIN1R3~1:bin icacls.exe PID 2212 wrote to memory of 504 2212 vds.exe 5NAsKj:bin PID 2212 wrote to memory of 504 2212 vds.exe 5NAsKj:bin PID 2212 wrote to memory of 504 2212 vds.exe 5NAsKj:bin PID 504 wrote to memory of 808 504 5NAsKj:bin vssadmin.exe PID 504 wrote to memory of 808 504 5NAsKj:bin vssadmin.exe PID 504 wrote to memory of 1208 504 5NAsKj:bin arp.exe PID 504 wrote to memory of 1208 504 5NAsKj:bin arp.exe PID 504 wrote to memory of 1132 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1132 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1436 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1436 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1752 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1752 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1508 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 1508 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 2472 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 2472 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 2724 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 2724 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 3116 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 3116 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 4016 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 4016 504 5NAsKj:bin nslookup.exe PID 504 wrote to memory of 4292 504 5NAsKj:bin net.exe PID 504 wrote to memory of 4292 504 5NAsKj:bin net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe"1⤵
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EIN1R3~1:binC:\Users\Admin\AppData\Roaming\EIN1R3~1:bin C:\Users\Admin\AppData\Local\Temp\8DF125~1.EXE2⤵
- Executes dropped EXE
- Deletes itself
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\System32\vds.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\System32\vds.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5NAsKj:binC:\Users\Admin\AppData\Roaming\5NAsKj:bin2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\arp.exeC:\Windows\system32\\arp.exe -a3⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 10.10.0.13⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 10.10.0.303⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 10.10.0.353⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 10.10.0.2553⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 224.0.0.223⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 224.0.0.2523⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 239.255.255.2503⤵
-
C:\Windows\system32\nslookup.exeC:\Windows\system32\\nslookup.exe 255.255.255.2553⤵
-
C:\Windows\system32\net.exeC:\Windows\system32\\net.exe view igmp.mcast.net3⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5NAsKj:binMD5
158a38fb23353bd53e8e9f505408ef00
SHA1d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA2568df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA51204c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
-
C:\Users\Admin\AppData\Roaming\5NAsKj:binMD5
158a38fb23353bd53e8e9f505408ef00
SHA1d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA2568df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA51204c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
-
C:\Users\Admin\AppData\Roaming\EIN1R3~1:binMD5
158a38fb23353bd53e8e9f505408ef00
SHA1d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA2568df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA51204c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
-
C:\Users\Admin\AppData\Roaming\EIN1R3~1:binMD5
158a38fb23353bd53e8e9f505408ef00
SHA1d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA2568df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA51204c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
-
C:\Windows\System32\vds.exeMD5
158a38fb23353bd53e8e9f505408ef00
SHA1d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA2568df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA51204c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
-
C:\Windows\System32\vds.exeMD5
158a38fb23353bd53e8e9f505408ef00
SHA1d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA2568df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA51204c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f
-
memory/496-123-0x0000000000000000-mapping.dmp
-
memory/504-132-0x0000000000000000-mapping.dmp
-
memory/504-145-0x0000000002430000-0x00000000024DE000-memory.dmpFilesize
696KB
-
memory/808-137-0x0000000000000000-mapping.dmp
-
memory/1132-139-0x0000000000000000-mapping.dmp
-
memory/1208-138-0x0000000000000000-mapping.dmp
-
memory/1436-140-0x0000000000000000-mapping.dmp
-
memory/1508-142-0x0000000000000000-mapping.dmp
-
memory/1752-141-0x0000000000000000-mapping.dmp
-
memory/2472-146-0x0000000000000000-mapping.dmp
-
memory/2724-148-0x0000000000000000-mapping.dmp
-
memory/3116-149-0x0000000000000000-mapping.dmp
-
memory/3460-124-0x0000000002570000-0x00000000026BA000-memory.dmpFilesize
1.3MB
-
memory/3460-118-0x0000000000000000-mapping.dmp
-
memory/3984-126-0x0000000000000000-mapping.dmp
-
memory/4016-150-0x0000000000000000-mapping.dmp
-
memory/4192-127-0x0000000000000000-mapping.dmp
-
memory/4292-151-0x0000000000000000-mapping.dmp
-
memory/4656-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4656-116-0x0000000002490000-0x0000000002496000-memory.dmpFilesize
24KB