buran | 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06

Analysis

max time kernel
117s
max time network
99s
platform
windows7_x64
resource
win7v20210408
submitted
27-04-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
Size

311KB
MD5

7e6635c48ad3d8c59b825f4b09caba1c
SHA1

f685d5da78e69a52e2dfa4dc4b5ec16c8538671b
SHA256

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06
SHA512

44021a0b7a6b6be8517e70b8d5bac9e039caa59f6d995272e1a185dec9b71c302c13cb05b55bd5b48b6b0b9c9b0f5534e4c8285cdcafe38e9e7f24252e79698c

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: rootiunik@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: rootiunik@cock.li Reserved email: TimothyCrabtree@protonmail.com Your personal ID: 159-765-CA4 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

rootiunik@cock.li

TimothyCrabtree@protonmail.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

952 notepad.exe

pid	process
952	notepad.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

description	ioc	process
File opened (read-only)	\??\V:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\M:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\F:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\E:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\A:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\Z:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\X:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\R:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\Q:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\P:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\N:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\K:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\T:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\S:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\O:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\L:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\J:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\I:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\H:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\G:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\B:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\Y:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\W:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened (read-only)	\??\U:	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00116_.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239955.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00563_.WMF	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\powerpnt.exe.manifest	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File created	C:\Program Files (x86)\Windows NT\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\macroprogress.gif	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File created	C:\Program Files\Internet Explorer\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE.rootiunik.159-765-CA4	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

Drops file in Windows directory 1 IoCs

Processes:

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1576 vssadmin.exe
932 vssadmin.exe

pid	process
1576	vssadmin.exe
932	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe
Token: SeSecurityPrivilege	1484	WMIC.exe
Token: SeTakeOwnershipPrivilege	1484	WMIC.exe
Token: SeLoadDriverPrivilege	1484	WMIC.exe
Token: SeSystemProfilePrivilege	1484	WMIC.exe
Token: SeSystemtimePrivilege	1484	WMIC.exe
Token: SeProfSingleProcessPrivilege	1484	WMIC.exe
Token: SeIncBasePriorityPrivilege	1484	WMIC.exe
Token: SeCreatePagefilePrivilege	1484	WMIC.exe
Token: SeBackupPrivilege	1484	WMIC.exe
Token: SeRestorePrivilege	1484	WMIC.exe
Token: SeShutdownPrivilege	1484	WMIC.exe
Token: SeDebugPrivilege	1484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1484	WMIC.exe
Token: SeRemoteShutdownPrivilege	1484	WMIC.exe
Token: SeUndockPrivilege	1484	WMIC.exe
Token: SeManageVolumePrivilege	1484	WMIC.exe
Token: 33	1484	WMIC.exe
Token: 34	1484	WMIC.exe
Token: 35	1484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1724	WMIC.exe
Token: SeSecurityPrivilege	1724	WMIC.exe
Token: SeTakeOwnershipPrivilege	1724	WMIC.exe
Token: SeLoadDriverPrivilege	1724	WMIC.exe
Token: SeSystemProfilePrivilege	1724	WMIC.exe
Token: SeSystemtimePrivilege	1724	WMIC.exe
Token: SeProfSingleProcessPrivilege	1724	WMIC.exe
Token: SeIncBasePriorityPrivilege	1724	WMIC.exe
Token: SeCreatePagefilePrivilege	1724	WMIC.exe
Token: SeBackupPrivilege	1724	WMIC.exe
Token: SeRestorePrivilege	1724	WMIC.exe
Token: SeShutdownPrivilege	1724	WMIC.exe
Token: SeDebugPrivilege	1724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1724	WMIC.exe
Token: SeRemoteShutdownPrivilege	1724	WMIC.exe
Token: SeUndockPrivilege	1724	WMIC.exe
Token: SeManageVolumePrivilege	1724	WMIC.exe
Token: 33	1724	WMIC.exe
Token: 34	1724	WMIC.exe
Token: 35	1724	WMIC.exe
Token: SeBackupPrivilege	988	vssvc.exe
Token: SeRestorePrivilege	988	vssvc.exe
Token: SeAuditPrivilege	988	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1724	WMIC.exe
Token: SeSecurityPrivilege	1724	WMIC.exe
Token: SeTakeOwnershipPrivilege	1724	WMIC.exe
Token: SeLoadDriverPrivilege	1724	WMIC.exe
Token: SeSystemProfilePrivilege	1724	WMIC.exe
Token: SeSystemtimePrivilege	1724	WMIC.exe
Token: SeProfSingleProcessPrivilege	1724	WMIC.exe
Token: SeIncBasePriorityPrivilege	1724	WMIC.exe
Token: SeCreatePagefilePrivilege	1724	WMIC.exe
Token: SeBackupPrivilege	1724	WMIC.exe
Token: SeRestorePrivilege	1724	WMIC.exe
Token: SeShutdownPrivilege	1724	WMIC.exe
Token: SeDebugPrivilege	1724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1724	WMIC.exe
Token: SeRemoteShutdownPrivilege	1724	WMIC.exe
Token: SeUndockPrivilege	1724	WMIC.exe
Token: SeManageVolumePrivilege	1724	WMIC.exe
Token: 33	1724	WMIC.exe
Token: 34	1724	WMIC.exe
Token: 35	1724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 1868	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1868	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1868	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1868	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1032	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1032	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1032	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1032	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1392	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1392	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1392	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1392	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 864	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 864	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 864	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 864	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1284	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1284	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1284	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1284	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1680	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1680	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1680	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1680	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	cmd.exe
PID 1832 wrote to memory of 1252	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
PID 1832 wrote to memory of 1252	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
PID 1832 wrote to memory of 1252	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
PID 1832 wrote to memory of 1252	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
PID 1868 wrote to memory of 1484	1868	cmd.exe	WMIC.exe
PID 1868 wrote to memory of 1484	1868	cmd.exe	WMIC.exe
PID 1868 wrote to memory of 1484	1868	cmd.exe	WMIC.exe
PID 1868 wrote to memory of 1484	1868	cmd.exe	WMIC.exe
PID 1284 wrote to memory of 1576	1284	cmd.exe	vssadmin.exe
PID 1284 wrote to memory of 1576	1284	cmd.exe	vssadmin.exe
PID 1284 wrote to memory of 1576	1284	cmd.exe	vssadmin.exe
PID 1284 wrote to memory of 1576	1284	cmd.exe	vssadmin.exe
PID 1680 wrote to memory of 1724	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1724	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1724	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1724	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 932	1680	cmd.exe	vssadmin.exe
PID 1680 wrote to memory of 932	1680	cmd.exe	vssadmin.exe
PID 1680 wrote to memory of 932	1680	cmd.exe	vssadmin.exe
PID 1680 wrote to memory of 932	1680	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe
PID 1832 wrote to memory of 952	1832	8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
"C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:932

C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
"C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe" -agent 0
2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1252

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
1⤵
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\AddUnregister.ppt.rootiunik.159-765-CA4
MD5
d1fbc8f71f6e94cc6578ceb3f867ab81

SHA1
a189abd1efb5b22c321c6ec351afacb2972e7fce

SHA256
badaaf485d1a886962f71d9836ab66db2e9b1a79212bb3dbca7a8f7e799ce27d

SHA512
1a031003fe4ea80afea22580398ef793c55e096de534f607c73a582f9b6cd915e51b3c75a64f4a689f0f272957bea463045fb117241fbe1200630bdf5ca37c22

Download Submit
C:\Users\Admin\Desktop\BlockCompare.vbe.rootiunik.159-765-CA4
MD5
3c6b69ee9367d519c9b5876da234ffa4

SHA1
6a441c5215c3cbdc7a780cc8fa6ebb6a39e3b2cc

SHA256
2eda5a064234998753ebc5e5e234699747571491110699527322c025b056c58d

SHA512
db9cadd222acfe2c3b9ccb70b66e8925b973d63339bc81d06d6f21e6379ab3868d06264d5fe8259b195a6e2dbb80069beec60684fdf99050062e2d98cf6d4f39

Download Submit
C:\Users\Admin\Desktop\ConvertExpand.wmv.rootiunik.159-765-CA4
MD5
a7fc99c5ef6d43e17c70820528723dd9

SHA1
9399e2ea492dee0d94a3ebfd3ee1b7a47220fff6

SHA256
8dbcc03cc49edd4dc936a07f3326bd8ad3bce4e8eb0508ff9133b58f3ef8bd3e

SHA512
80a3785849bee2d56e6f29ba9b6e8c13511b1096bdb2e88aba1645781a276652aafa366fa6b0ccc6c2017f0d736d405734bce673e39de65780c14c710e1d8cde

Download Submit
C:\Users\Admin\Desktop\ConvertFromDisconnect.xps.rootiunik.159-765-CA4
MD5
7c919049ce064fdec310230562d9fd73

SHA1
7d8c62339bd2399500994ca5eb0998a02bee3efa

SHA256
bbfbf77b71c622afe85661a4cb8e997eac8125a4519574bd7134d4ebbfa27069

SHA512
bdd848813aa22ef4489a2e866a53a712f400fbf1fe8ffb04ce9e8ff32834fc42640334958ec901c7d8a5a43ea532de8734df7aef4e5e5c44ba5f4df82363504c

Download Submit
C:\Users\Admin\Desktop\DisconnectPublish.ex_.rootiunik.159-765-CA4
MD5
61f174f4be8e19b156e2effa418788c0

SHA1
9d59378f0e07ff93052b368e0e1ea9b74a463c24

SHA256
689c335d17c31f2a97099b761ad81ac69b4d39fcb55b4def0f6e34732c62620e

SHA512
240aa1ff566c8baa2956522cf5064c0a5c4ee6123f23a3eb37d57af9de6591e2fb3c9234b3cc6915f05b5f4518619fb48af4ba86a2cc4b96afc9fcb20d211165

Download Submit
C:\Users\Admin\Desktop\DismountFormat.bmp.rootiunik.159-765-CA4
MD5
04de76a908200d05bb51c1c87863a528

SHA1
c464a83c3473ed03d40be94d468904bf72b8ff78

SHA256
743ed51ac9bc779c619e46cc3e478f5136b2913b07e8b83e4daf27324a2c221d

SHA512
c9d9a06b94f46bcbc70be56d68c5a88a3fd1e187c48524be5b3a7b85b33e11513cc100f70e5d3115175914662f23b4dc067d5b3cd77ee82a72ff822302271ba5

Download Submit
C:\Users\Admin\Desktop\GetDismount.mpe.rootiunik.159-765-CA4
MD5
4393d370c1f0c02f3293aef27d5078d3

SHA1
b7867a93fd2b1c75ccd32a21679d5fc3fb848550

SHA256
4f9bc4d0c7da018cb727c7d15e3b969d0db5b41a772babf811c3bb5c3b61e4bb

SHA512
366e9e5b178539811bd00bb33e3b494688411c9be5314d270d84407e5af423f43ece22f8e7fc4c3088a090a0a11962588d8affe7021791d4997e3a352e6030c6

Download Submit
C:\Users\Admin\Desktop\GetLock.pot.rootiunik.159-765-CA4
MD5
dfd05ee3f7d7505dd61ab152c4d71d6f

SHA1
8ae32e12b17ad297f0cba7136ef2d4464949a3d9

SHA256
19d73b73639ec0c42f2a92c86e95ce7a0abe8b7cb13a4ee4043690af103dab03

SHA512
0a1c1e2159f594f6b1d1df5ae6f0648692649e8c78778cc8671f4dd6ed91427ae97030e92b88418d5f41372da966076dcd8be720ec1e6a06669834a9e032a87d

Download Submit
C:\Users\Admin\Desktop\JoinConvertTo.htm.rootiunik.159-765-CA4
MD5
b14e0428a70974eb5a7781f607e4efd7

SHA1
bb0ae244d13d70f0797e9cb09364ed05bc86c5bd

SHA256
30378d4210acadb876e179a64b055546a3e9b5888cf38b35f25876f832caf1f9

SHA512
0a8c298b43b82adf06713a280f2f2db386f135d072d845852e2687c4a1942080ed32b81ad4a44e8db40262aee100d2f9949b2dec9dc85da5a55b456cf6e0cae9

Download Submit
C:\Users\Admin\Desktop\MoveEnter.pptm.rootiunik.159-765-CA4
MD5
52fb9cf922d607f28ec9120a91903069

SHA1
05af0bd9a9272dbf5ec79e7845d9aa194d618e7a

SHA256
137f515cb296975a21c3f35cab81bd7a5d432816a245c864ae2800f16d2b3bfc

SHA512
d1da3c8e3fab9531aec69460c9b66abb42fa6ca829c3d483f47426410f02d648a9ea9af18cba3f11afed69076f4604bc194f7263c68b5c3f284ef8d7e814e8c8

Download Submit
C:\Users\Admin\Desktop\MoveExpand.mpeg2.rootiunik.159-765-CA4
MD5
9777d4ab54b4d13d0fe1cb4d390686ab

SHA1
62b473845c4fc6a66928c7c9cd9b5dc50aa4bf81

SHA256
e2a06467e0a46fc9ead8eb0d130cfdfc57922416383abac3d1be32a030322aef

SHA512
e522bd0e4a2e3471d3b0802acbe179f7a26d074e71581c495a3e929b95967d5e7e57727b67c874d4d2981519c13d50b18a24ebd913a5d53891cd1785d45dbfc3

Download Submit
C:\Users\Admin\Desktop\ReadSuspend.easmx.rootiunik.159-765-CA4
MD5
9a3005913ff6659c0fe7064f0098a15a

SHA1
dfc8d0847b0831fd8dc9271c44635e9ea49378e2

SHA256
2ca1ad866a5ae067c92da9773a53d16a5246d55f262bed1b81e05ad0e2e54691

SHA512
bf85441a4423a24ce5b273f2106466ae13f5609da617c13aaabf850052c39bdcfa4f9435ca5489415887fa0a3fbf69a0bf543d9f05a7d72b17916651da524118

Download Submit
C:\Users\Admin\Desktop\ResizeSend.pdf.rootiunik.159-765-CA4
MD5
05bb10a8e684e842e0594fd0352f0f5a

SHA1
805b09c65a2b47f56576d0462c7d0509428e162b

SHA256
91703ec17ed9e1bdb16619d8a500df7f2d7fbbeb1b28c1857edc4c5f888165eb

SHA512
9d2c1f0e13b8dbc0e20ae689cd89a1d69d66ac0d4078ef47237b1a04157b3f63427f9642f406fc1faa8acfc34d2e8b630cd49c593a18db256b45cfe0a8a12f0f

Download Submit
C:\Users\Admin\Desktop\SendTrace.pot.rootiunik.159-765-CA4
MD5
66a198fd5d4981d4b4aeae9c0ef8a81f

SHA1
89359fcfe3bccb4d6f173f579bf8edc5c0000411

SHA256
ea2e39b6d564f1a28e12c0cd7a9896d9e43ff809284052a3b1f425c364857f93

SHA512
c85ba487a36c9ff2aa93417c0d208f2574844810c50ed3ee18b296443e8bf2ff9e543c8ef3a7ffdce3f5bf5c7e5e3f110589be52a9935079ebc5cdd2212fffe8

Download Submit
C:\Users\Admin\Desktop\SkipSave.wav.rootiunik.159-765-CA4
MD5
a741169a023a70f87e3cf2d03345c45d

SHA1
23b868c2e972eeff32d3c5577015e23a319eb6cd

SHA256
9600f744ca296a5118b2ba3fd70780c74df2bb000b7a29a817851637deff5045

SHA512
ccdae562cc640bfd180882b3491a7156b68db5f0b03758366a59bcb19edfa99b1ee0b64406fcf272ec42c1696e55ae5eb3c3050d9af545151a80ea3b22c62e6d

Download Submit
C:\Users\Admin\Desktop\StartCheckpoint.DVR.rootiunik.159-765-CA4
MD5
210da1bf4917cd2592f7f00b6479c176

SHA1
d8f815c724c9f8ab2ccfe97393c819dce783f481

SHA256
880b4fdb5090a634bb0720e34816a6dee0eab25229d4e24ece3f338848568622

SHA512
79052555e0110c54b440dabdf778574424924922c88f10dceae5c5d13a1f1a606eac1fd4b59754f6500e405446ba9a3263194f857cfd04ef6113bbcec8129413

Download Submit
C:\Users\Admin\Desktop\SubmitEnable.vst.rootiunik.159-765-CA4
MD5
5c3f6431ab39f5b3d0741a71e695ba81

SHA1
2296a98378c11f29cf3f0f599ccfda0b5248f803

SHA256
79aa7fda68d45cc74a903c4a279955519e1927e208b010c45f976787aa2784c5

SHA512
f33c9561f23c4fd11260a0608f148982026bd9dbd4faf7815419661514cb862ce47df0a4002f1b4afd6737b4f50a11d641b813325883b9f4e0a4d60ed8848764

Download Submit
C:\Users\Admin\Desktop\SubmitSend.contact.rootiunik.159-765-CA4
MD5
6cc3ff6ca0c00e6ad57518fb918a29e9

SHA1
7b7b912c074a786c3db8cecf65673f097f3ca006

SHA256
ff2f99d6964fca102f8d41e78331499a472dfa71ce076b75b07271fc3305bbf7

SHA512
022bd55892b7534684878ed94132a4c381270faa472c5c069f92114c627756912f38a311bf86931bfa892cfb025837c4a0a93cc8688c45e452610c9cd5b632ce

Download Submit
C:\Users\Admin\Desktop\SuspendRegister.svgz.rootiunik.159-765-CA4
MD5
1c6128111bda5878c4f2f1661268bbd1

SHA1
4c8dbc7285828facd5c8b1e3e8bf2e68901452a7

SHA256
57dbe026fc6e2618bf9a4f07f0568c9730dfc024656cbee86e3e183421fb4208

SHA512
c6046e4fd107c734c80d25153dd0bddedb6d230236e2e2fab8736d6307731061d9642efc3f5df3ca701d201c1272e083247639d95fd9d3a7b3de7e8bf4066131

Download Submit
C:\Users\Admin\Desktop\SwitchComplete.xps.rootiunik.159-765-CA4
MD5
3db03c5e22ec9436ff67a6c868519fe5

SHA1
29d8c670bc7846d0fabfccf5ea75e941b4db6d82

SHA256
cb5a3043f6eb024febcb3fed46fa97645c1ccf07fcb758414e4bc1deb6f92655

SHA512
75068066dfcb86e63178eb47fd0b2e1b680340c7502aadf767431e04f41f2a75422f21215c588855fcd9f55752b57cef9119f1f29e82aec45c3f41b0f006cbdf

Download Submit
C:\Users\Admin\Desktop\TraceFind.ADT.rootiunik.159-765-CA4
MD5
f3ad370505a044685aafa3bbc208ee9b

SHA1
14b360954b7dd9f687f0782cf51738ae71674e64

SHA256
c007e9fae9d7cc4bff367394f6740c6fa74aa23c24a8c76fdeeac95978b068a9

SHA512
c14c47e79a7fee75b3424cea56f9ef45d658b21e0c32cfeda4c487d37719477a9d2391448b112dd89a76d707a92dbbb5e54566ae70a051727f0a747006190b91

Download Submit
C:\Users\Admin\Desktop\UndoTest.snd.rootiunik.159-765-CA4
MD5
e98ee1afc92fc626a7bc24ca80996d8b

SHA1
cbf4155149e171d829629a68e94513f34089f3cb

SHA256
9f8fe30a7de1c6f48794f01e632132f930027c88d32d4201c87919bcc428f818

SHA512
176e35e1169256b6fefcb6ee73e827541162956477c7e95d1de96edf5fd401c6f75564027abb1b2c2ad9311b1eea8d3611f0a844206919486e6de8f2aa7facc3

Download Submit
C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
MD5
576bc8ae6c484340945fd87dce032c4e

SHA1
e9511d564a4dd52ef90f3bac3986cb679518c02d

SHA256
3ed251be8e40c39ee71cbb5a7e8602ff4b973c845b031472d9841faaf204caa8

SHA512
9b26b95d0923f2393e3f6f2286d0f15a31a5eec7a8cdfa4d0ee0391ed002b7400e8cf7153ea1af28d15ff0b34a26c85f5a3c7c1e6f7e366621396e0983b13fba

Download Submit
memory/864-65-0x0000000000000000-mapping.dmp

Download
memory/932-73-0x0000000000000000-mapping.dmp

Download
memory/952-101-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/952-99-0x0000000000000000-mapping.dmp

Download
memory/1032-63-0x0000000000000000-mapping.dmp

Download
memory/1252-76-0x0000000000400000-0x0000000002BBE000-memory.dmp

Filesize
39.7MB

Download
memory/1252-68-0x0000000000000000-mapping.dmp

Download
memory/1284-66-0x0000000000000000-mapping.dmp

Download
memory/1392-64-0x0000000000000000-mapping.dmp

Download
memory/1484-69-0x0000000000000000-mapping.dmp

Download
memory/1576-71-0x0000000000000000-mapping.dmp

Download
memory/1680-67-0x0000000000000000-mapping.dmp

Download
memory/1692-102-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/1724-72-0x0000000000000000-mapping.dmp

Download
memory/1832-61-0x0000000000400000-0x0000000002BBE000-memory.dmp

Filesize
39.7MB

Download
memory/1832-60-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1832-59-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1868-62-0x0000000000000000-mapping.dmp

Download