8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

General

Target

8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
Size

156KB
MD5

158a38fb23353bd53e8e9f505408ef00
SHA1

d3e0d5661a9c8f87f72eac9703d572ee42bb4498
SHA256

8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e
SHA512

04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Score

9^/10

discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

EIN1R3~1:binvds.exe5NAsKj:bin

pid process

3460 EIN1R3~1:bin
2212 vds.exe
504 5NAsKj:bin

pid	process
3460	EIN1R3~1:bin
2212	vds.exe
504	5NAsKj:bin

Modifies extensions of user files 44 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

vds.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisableRegister.tif => C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc	vds.exe
File created	C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc_readme	vds.exe
File created	C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc_readme	vds.exe
File created	C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc_readme	vds.exe
File renamed	C:\Users\Admin\Pictures\ResetCompress.png => C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc	vds.exe
File renamed	C:\Users\Admin\Pictures\UseOut.tif => C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc	vds.exe
File created	C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc_readme	vds.exe
File created	C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc_readme	vds.exe
File renamed	C:\Users\Admin\Pictures\LimitPing.png => C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc_readme	vds.exe
File renamed	C:\Users\Admin\Pictures\DismountFind.png => C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc	vds.exe
File renamed	C:\Users\Admin\Pictures\HideGrant.raw => C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc_readme	vds.exe
File renamed	C:\Users\Admin\Pictures\CheckpointClear.png => C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc	vds.exe
File created	C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc	vds.exe
File renamed	C:\Users\Admin\Pictures\JoinPush.crw => C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\LimitPing.png.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc_readme	vds.exe
File created	C:\Users\Admin\Pictures\ResetCompress.png.midwestsurinc_readme	vds.exe
File created	C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\UseOut.tif.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\DismountFind.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc	vds.exe
File created	C:\Users\Admin\Pictures\JoinPush.crw.midwestsurinc_readme	vds.exe
File renamed	C:\Users\Admin\Pictures\ResizeWrite.raw => C:\Users\Admin\Pictures\ResizeWrite.raw.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointClear.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc	vds.exe
File renamed	C:\Users\Admin\Pictures\MoveOpen.raw => C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc	vds.exe
File created	C:\Users\Admin\Pictures\MoveOpen.raw.midwestsurinc_readme	vds.exe
File opened for modification	C:\Users\Admin\Pictures\DisableRegister.tif.midwestsurinc	vds.exe
File opened for modification	C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc	vds.exe
File created	C:\Users\Admin\Pictures\HideGrant.raw.midwestsurinc_readme	vds.exe
File renamed	C:\Users\Admin\Pictures\EnterCopy.crw => C:\Users\Admin\Pictures\EnterCopy.crw.midwestsurinc	vds.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3984 takeown.exe
4192 icacls.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Windows Defender anti-emulation file check 1 TTPs
Defender's emulator always creates certain fake files which can be used to detect it.

System Information Discovery
T1082
Deletes itself 1 IoCs

Processes:

EIN1R3~1:bin

pid process

3460 EIN1R3~1:bin
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3984 takeown.exe
4192 icacls.exe

pid	process
3984	takeown.exe
4192	icacls.exe

pid	process
3460	EIN1R3~1:bin

pid	process
3984	takeown.exe
4192	icacls.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

vds.exe5NAsKj:bin8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exeEIN1R3~1:bin

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vds.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5NAsKj:bin
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EIN1R3~1:bin

Drops desktop.ini file(s) 1 IoCs

Processes:

vds.exe

description ioc process

File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI vds.exe
Drops file in System32 directory 2 IoCs

Processes:

EIN1R3~1:bin

description ioc process

File opened for modification C:\Windows\System32\vds.exe EIN1R3~1:bin
File created C:\Windows\System32\vds.exe:0 EIN1R3~1:bin

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	vds.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	EIN1R3~1:bin
File created	C:\Windows\System32\vds.exe:0	EIN1R3~1:bin

Drops file in Program Files directory 64 IoCs

Processes:

vds.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.midwestsurinc_readme	vds.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms	vds.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.ps1	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.midwestsurinc	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.midwestsurinc_readme	vds.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h	vds.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb	vds.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.midwestsurinc	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg.midwestsurinc_readme	vds.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	vds.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF.midwestsurinc	vds.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL.midwestsurinc_readme	vds.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak.midwestsurinc_readme	vds.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.midwestsurinc_readme	vds.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.midwestsurinc_readme	vds.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.midwestsurinc	vds.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png.midwestsurinc_readme	vds.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.midwestsurinc	vds.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	vds.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js.midwestsurinc	vds.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar.midwestsurinc_readme	vds.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4292 net.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

496 vssadmin.exe
808 vssadmin.exe

pid	process
4292	net.exe

pid	process
496	vssadmin.exe
808	vssadmin.exe

NTFS ADS 2 IoCs

Processes:

8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exevds.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\EIN1R3~1:bin	8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\5NAsKj:bin	vds.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vds.exe

pid process

2212 vds.exe
2212 vds.exe

pid	process
2212	vds.exe
2212	vds.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vssvc.exetakeown.exevds.exe

description	pid	process
Token: SeBackupPrivilege	4216	vssvc.exe
Token: SeRestorePrivilege	4216	vssvc.exe
Token: SeAuditPrivilege	4216	vssvc.exe
Token: SeTakeOwnershipPrivilege	3984	takeown.exe
Token: SeIncreaseQuotaPrivilege	2212	vds.exe
Token: SeAssignPrimaryTokenPrivilege	2212	vds.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exeEIN1R3~1:binvds.exe5NAsKj:bin

description	pid	process	target process
PID 4656 wrote to memory of 3460	4656	8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe	EIN1R3~1:bin
PID 4656 wrote to memory of 3460	4656	8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe	EIN1R3~1:bin
PID 4656 wrote to memory of 3460	4656	8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe	EIN1R3~1:bin
PID 3460 wrote to memory of 496	3460	EIN1R3~1:bin	vssadmin.exe
PID 3460 wrote to memory of 496	3460	EIN1R3~1:bin	vssadmin.exe
PID 3460 wrote to memory of 3984	3460	EIN1R3~1:bin	takeown.exe
PID 3460 wrote to memory of 3984	3460	EIN1R3~1:bin	takeown.exe
PID 3460 wrote to memory of 4192	3460	EIN1R3~1:bin	icacls.exe
PID 3460 wrote to memory of 4192	3460	EIN1R3~1:bin	icacls.exe
PID 2212 wrote to memory of 504	2212	vds.exe	5NAsKj:bin
PID 2212 wrote to memory of 504	2212	vds.exe	5NAsKj:bin
PID 2212 wrote to memory of 504	2212	vds.exe	5NAsKj:bin
PID 504 wrote to memory of 808	504	5NAsKj:bin	vssadmin.exe
PID 504 wrote to memory of 808	504	5NAsKj:bin	vssadmin.exe
PID 504 wrote to memory of 1208	504	5NAsKj:bin	arp.exe
PID 504 wrote to memory of 1208	504	5NAsKj:bin	arp.exe
PID 504 wrote to memory of 1132	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1132	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1436	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1436	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1752	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1752	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1508	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 1508	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 2472	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 2472	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 2724	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 2724	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 3116	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 3116	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 4016	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 4016	504	5NAsKj:bin	nslookup.exe
PID 504 wrote to memory of 4292	504	5NAsKj:bin	net.exe
PID 504 wrote to memory of 4292	504	5NAsKj:bin	net.exe

C:\Users\Admin\AppData\Local\Temp\8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e.bin.sample.exe"
1⤵
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Roaming\EIN1R3~1:bin
C:\Users\Admin\AppData\Roaming\EIN1R3~1:bin C:\Users\Admin\AppData\Local\Temp\8DF125~1.EXE
2⤵
- Executes dropped EXE
- Deletes itself
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:496

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\System32\vds.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\System32\vds.exe /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Roaming\5NAsKj:bin
C:\Users\Admin\AppData\Roaming\5NAsKj:bin
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:808

C:\Windows\system32\arp.exe
C:\Windows\system32\\arp.exe -a
3⤵
PID:1208

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 10.10.0.1
3⤵
PID:1132

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 10.10.0.30
3⤵
PID:1436

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 10.10.0.35
3⤵
PID:1752

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 10.10.0.255
3⤵
PID:1508

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 224.0.0.22
3⤵
PID:2472

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 224.0.0.252
3⤵
PID:2724

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 239.255.255.250
3⤵
PID:3116

C:\Windows\system32\nslookup.exe
C:\Windows\system32\\nslookup.exe 255.255.255.255
3⤵
PID:4016

C:\Windows\system32\net.exe
C:\Windows\system32\\net.exe view igmp.mcast.net
3⤵
- Discovers systems in the same network
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5NAsKj:bin
MD5
158a38fb23353bd53e8e9f505408ef00

SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498

SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Download Submit
C:\Users\Admin\AppData\Roaming\5NAsKj:bin
MD5
158a38fb23353bd53e8e9f505408ef00

SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498

SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Download Submit
C:\Users\Admin\AppData\Roaming\EIN1R3~1:bin
MD5
158a38fb23353bd53e8e9f505408ef00

SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498

SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Download Submit
C:\Users\Admin\AppData\Roaming\EIN1R3~1:bin
MD5
158a38fb23353bd53e8e9f505408ef00

SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498

SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Download Submit
C:\Windows\System32\vds.exe
MD5
158a38fb23353bd53e8e9f505408ef00

SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498

SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Download Submit
C:\Windows\System32\vds.exe
MD5
158a38fb23353bd53e8e9f505408ef00

SHA1
d3e0d5661a9c8f87f72eac9703d572ee42bb4498

SHA256
8df125c407a6c3e6049125c4a98b890da4f21c8ab14d508557fbb2da8393af3e

SHA512
04c94041b059c96497683d096a07ea757dd964255cfac8ad8e0ddc5c33fbc1611d7e8bcf5e64cda77ffd62da26ae70869eef06e78fcf8503b7adc0caf1c2714f

Download Submit
memory/496-123-0x0000000000000000-mapping.dmp

Download
memory/504-132-0x0000000000000000-mapping.dmp

Download
memory/504-145-0x0000000002430000-0x00000000024DE000-memory.dmp

Filesize
696KB

Download
memory/808-137-0x0000000000000000-mapping.dmp

Download
memory/1132-139-0x0000000000000000-mapping.dmp

Download
memory/1208-138-0x0000000000000000-mapping.dmp

Download
memory/1436-140-0x0000000000000000-mapping.dmp

Download
memory/1508-142-0x0000000000000000-mapping.dmp

Download
memory/1752-141-0x0000000000000000-mapping.dmp

Download
memory/2472-146-0x0000000000000000-mapping.dmp

Download
memory/2724-148-0x0000000000000000-mapping.dmp

Download
memory/3116-149-0x0000000000000000-mapping.dmp

Download
memory/3460-124-0x0000000002570000-0x00000000026BA000-memory.dmp

Filesize
1.3MB

Download
memory/3460-118-0x0000000000000000-mapping.dmp

Download
memory/3984-126-0x0000000000000000-mapping.dmp

Download
memory/4016-150-0x0000000000000000-mapping.dmp

Download
memory/4192-127-0x0000000000000000-mapping.dmp

Download
memory/4292-151-0x0000000000000000-mapping.dmp

Download
memory/4656-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-116-0x0000000002490000-0x0000000002496000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads