Analysis
-
max time kernel
117s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-04-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
Resource
win10v20210410
General
-
Target
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe
-
Size
311KB
-
MD5
7e6635c48ad3d8c59b825f4b09caba1c
-
SHA1
f685d5da78e69a52e2dfa4dc4b5ec16c8538671b
-
SHA256
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06
-
SHA512
44021a0b7a6b6be8517e70b8d5bac9e039caa59f6d995272e1a185dec9b71c302c13cb05b55bd5b48b6b0b9c9b0f5534e4c8285cdcafe38e9e7f24252e79698c
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
rootiunik@cock.li
TimothyCrabtree@protonmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
notepad.exepid process 952 notepad.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exedescription ioc process File opened (read-only) \??\V: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\M: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\F: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\E: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\A: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\Z: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\X: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\R: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\Q: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\P: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\N: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\K: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\T: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\S: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\O: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\L: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\J: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\I: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\H: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\G: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\B: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\Y: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\W: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened (read-only) \??\U: 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.properties.src.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00116_.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239955.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00563_.WMF 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\powerpnt.exe.manifest 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File created C:\Program Files (x86)\Windows NT\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\macroprogress.gif 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Jamaica 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File created C:\Program Files\Internet Explorer\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE.rootiunik.159-765-CA4 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe -
Drops file in Windows directory 1 IoCs
Processes:
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exedescription ioc process File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1576 vssadmin.exe 932 vssadmin.exe -
Processes:
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeIncreaseQuotaPrivilege 1724 WMIC.exe Token: SeSecurityPrivilege 1724 WMIC.exe Token: SeTakeOwnershipPrivilege 1724 WMIC.exe Token: SeLoadDriverPrivilege 1724 WMIC.exe Token: SeSystemProfilePrivilege 1724 WMIC.exe Token: SeSystemtimePrivilege 1724 WMIC.exe Token: SeProfSingleProcessPrivilege 1724 WMIC.exe Token: SeIncBasePriorityPrivilege 1724 WMIC.exe Token: SeCreatePagefilePrivilege 1724 WMIC.exe Token: SeBackupPrivilege 1724 WMIC.exe Token: SeRestorePrivilege 1724 WMIC.exe Token: SeShutdownPrivilege 1724 WMIC.exe Token: SeDebugPrivilege 1724 WMIC.exe Token: SeSystemEnvironmentPrivilege 1724 WMIC.exe Token: SeRemoteShutdownPrivilege 1724 WMIC.exe Token: SeUndockPrivilege 1724 WMIC.exe Token: SeManageVolumePrivilege 1724 WMIC.exe Token: 33 1724 WMIC.exe Token: 34 1724 WMIC.exe Token: 35 1724 WMIC.exe Token: SeBackupPrivilege 988 vssvc.exe Token: SeRestorePrivilege 988 vssvc.exe Token: SeAuditPrivilege 988 vssvc.exe Token: SeIncreaseQuotaPrivilege 1724 WMIC.exe Token: SeSecurityPrivilege 1724 WMIC.exe Token: SeTakeOwnershipPrivilege 1724 WMIC.exe Token: SeLoadDriverPrivilege 1724 WMIC.exe Token: SeSystemProfilePrivilege 1724 WMIC.exe Token: SeSystemtimePrivilege 1724 WMIC.exe Token: SeProfSingleProcessPrivilege 1724 WMIC.exe Token: SeIncBasePriorityPrivilege 1724 WMIC.exe Token: SeCreatePagefilePrivilege 1724 WMIC.exe Token: SeBackupPrivilege 1724 WMIC.exe Token: SeRestorePrivilege 1724 WMIC.exe Token: SeShutdownPrivilege 1724 WMIC.exe Token: SeDebugPrivilege 1724 WMIC.exe Token: SeSystemEnvironmentPrivilege 1724 WMIC.exe Token: SeRemoteShutdownPrivilege 1724 WMIC.exe Token: SeUndockPrivilege 1724 WMIC.exe Token: SeManageVolumePrivilege 1724 WMIC.exe Token: 33 1724 WMIC.exe Token: 34 1724 WMIC.exe Token: 35 1724 WMIC.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.execmd.execmd.execmd.exedescription pid process target process PID 1832 wrote to memory of 1868 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1868 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1868 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1868 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1032 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1032 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1032 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1032 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1392 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1392 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1392 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1392 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 864 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 864 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 864 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 864 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1284 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1284 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1284 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1284 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1680 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1680 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1680 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1680 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe cmd.exe PID 1832 wrote to memory of 1252 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe PID 1832 wrote to memory of 1252 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe PID 1832 wrote to memory of 1252 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe PID 1832 wrote to memory of 1252 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe PID 1868 wrote to memory of 1484 1868 cmd.exe WMIC.exe PID 1868 wrote to memory of 1484 1868 cmd.exe WMIC.exe PID 1868 wrote to memory of 1484 1868 cmd.exe WMIC.exe PID 1868 wrote to memory of 1484 1868 cmd.exe WMIC.exe PID 1284 wrote to memory of 1576 1284 cmd.exe vssadmin.exe PID 1284 wrote to memory of 1576 1284 cmd.exe vssadmin.exe PID 1284 wrote to memory of 1576 1284 cmd.exe vssadmin.exe PID 1284 wrote to memory of 1576 1284 cmd.exe vssadmin.exe PID 1680 wrote to memory of 1724 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1724 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1724 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1724 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 932 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 932 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 932 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 932 1680 cmd.exe vssadmin.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe PID 1832 wrote to memory of 952 1832 8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe"C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe"C:\Users\Admin\AppData\Local\Temp\8ab4218a7ee9239d218f2729d6c00fb0246eeea1e97f85833dacfc73457c8b06.exe" -agent 02⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\Desktop\AddUnregister.ppt.rootiunik.159-765-CA4MD5
d1fbc8f71f6e94cc6578ceb3f867ab81
SHA1a189abd1efb5b22c321c6ec351afacb2972e7fce
SHA256badaaf485d1a886962f71d9836ab66db2e9b1a79212bb3dbca7a8f7e799ce27d
SHA5121a031003fe4ea80afea22580398ef793c55e096de534f607c73a582f9b6cd915e51b3c75a64f4a689f0f272957bea463045fb117241fbe1200630bdf5ca37c22
-
C:\Users\Admin\Desktop\BlockCompare.vbe.rootiunik.159-765-CA4MD5
3c6b69ee9367d519c9b5876da234ffa4
SHA16a441c5215c3cbdc7a780cc8fa6ebb6a39e3b2cc
SHA2562eda5a064234998753ebc5e5e234699747571491110699527322c025b056c58d
SHA512db9cadd222acfe2c3b9ccb70b66e8925b973d63339bc81d06d6f21e6379ab3868d06264d5fe8259b195a6e2dbb80069beec60684fdf99050062e2d98cf6d4f39
-
C:\Users\Admin\Desktop\ConvertExpand.wmv.rootiunik.159-765-CA4MD5
a7fc99c5ef6d43e17c70820528723dd9
SHA19399e2ea492dee0d94a3ebfd3ee1b7a47220fff6
SHA2568dbcc03cc49edd4dc936a07f3326bd8ad3bce4e8eb0508ff9133b58f3ef8bd3e
SHA51280a3785849bee2d56e6f29ba9b6e8c13511b1096bdb2e88aba1645781a276652aafa366fa6b0ccc6c2017f0d736d405734bce673e39de65780c14c710e1d8cde
-
C:\Users\Admin\Desktop\ConvertFromDisconnect.xps.rootiunik.159-765-CA4MD5
7c919049ce064fdec310230562d9fd73
SHA17d8c62339bd2399500994ca5eb0998a02bee3efa
SHA256bbfbf77b71c622afe85661a4cb8e997eac8125a4519574bd7134d4ebbfa27069
SHA512bdd848813aa22ef4489a2e866a53a712f400fbf1fe8ffb04ce9e8ff32834fc42640334958ec901c7d8a5a43ea532de8734df7aef4e5e5c44ba5f4df82363504c
-
C:\Users\Admin\Desktop\DisconnectPublish.ex_.rootiunik.159-765-CA4MD5
61f174f4be8e19b156e2effa418788c0
SHA19d59378f0e07ff93052b368e0e1ea9b74a463c24
SHA256689c335d17c31f2a97099b761ad81ac69b4d39fcb55b4def0f6e34732c62620e
SHA512240aa1ff566c8baa2956522cf5064c0a5c4ee6123f23a3eb37d57af9de6591e2fb3c9234b3cc6915f05b5f4518619fb48af4ba86a2cc4b96afc9fcb20d211165
-
C:\Users\Admin\Desktop\DismountFormat.bmp.rootiunik.159-765-CA4MD5
04de76a908200d05bb51c1c87863a528
SHA1c464a83c3473ed03d40be94d468904bf72b8ff78
SHA256743ed51ac9bc779c619e46cc3e478f5136b2913b07e8b83e4daf27324a2c221d
SHA512c9d9a06b94f46bcbc70be56d68c5a88a3fd1e187c48524be5b3a7b85b33e11513cc100f70e5d3115175914662f23b4dc067d5b3cd77ee82a72ff822302271ba5
-
C:\Users\Admin\Desktop\GetDismount.mpe.rootiunik.159-765-CA4MD5
4393d370c1f0c02f3293aef27d5078d3
SHA1b7867a93fd2b1c75ccd32a21679d5fc3fb848550
SHA2564f9bc4d0c7da018cb727c7d15e3b969d0db5b41a772babf811c3bb5c3b61e4bb
SHA512366e9e5b178539811bd00bb33e3b494688411c9be5314d270d84407e5af423f43ece22f8e7fc4c3088a090a0a11962588d8affe7021791d4997e3a352e6030c6
-
C:\Users\Admin\Desktop\GetLock.pot.rootiunik.159-765-CA4MD5
dfd05ee3f7d7505dd61ab152c4d71d6f
SHA18ae32e12b17ad297f0cba7136ef2d4464949a3d9
SHA25619d73b73639ec0c42f2a92c86e95ce7a0abe8b7cb13a4ee4043690af103dab03
SHA5120a1c1e2159f594f6b1d1df5ae6f0648692649e8c78778cc8671f4dd6ed91427ae97030e92b88418d5f41372da966076dcd8be720ec1e6a06669834a9e032a87d
-
C:\Users\Admin\Desktop\JoinConvertTo.htm.rootiunik.159-765-CA4MD5
b14e0428a70974eb5a7781f607e4efd7
SHA1bb0ae244d13d70f0797e9cb09364ed05bc86c5bd
SHA25630378d4210acadb876e179a64b055546a3e9b5888cf38b35f25876f832caf1f9
SHA5120a8c298b43b82adf06713a280f2f2db386f135d072d845852e2687c4a1942080ed32b81ad4a44e8db40262aee100d2f9949b2dec9dc85da5a55b456cf6e0cae9
-
C:\Users\Admin\Desktop\MoveEnter.pptm.rootiunik.159-765-CA4MD5
52fb9cf922d607f28ec9120a91903069
SHA105af0bd9a9272dbf5ec79e7845d9aa194d618e7a
SHA256137f515cb296975a21c3f35cab81bd7a5d432816a245c864ae2800f16d2b3bfc
SHA512d1da3c8e3fab9531aec69460c9b66abb42fa6ca829c3d483f47426410f02d648a9ea9af18cba3f11afed69076f4604bc194f7263c68b5c3f284ef8d7e814e8c8
-
C:\Users\Admin\Desktop\MoveExpand.mpeg2.rootiunik.159-765-CA4MD5
9777d4ab54b4d13d0fe1cb4d390686ab
SHA162b473845c4fc6a66928c7c9cd9b5dc50aa4bf81
SHA256e2a06467e0a46fc9ead8eb0d130cfdfc57922416383abac3d1be32a030322aef
SHA512e522bd0e4a2e3471d3b0802acbe179f7a26d074e71581c495a3e929b95967d5e7e57727b67c874d4d2981519c13d50b18a24ebd913a5d53891cd1785d45dbfc3
-
C:\Users\Admin\Desktop\ReadSuspend.easmx.rootiunik.159-765-CA4MD5
9a3005913ff6659c0fe7064f0098a15a
SHA1dfc8d0847b0831fd8dc9271c44635e9ea49378e2
SHA2562ca1ad866a5ae067c92da9773a53d16a5246d55f262bed1b81e05ad0e2e54691
SHA512bf85441a4423a24ce5b273f2106466ae13f5609da617c13aaabf850052c39bdcfa4f9435ca5489415887fa0a3fbf69a0bf543d9f05a7d72b17916651da524118
-
C:\Users\Admin\Desktop\ResizeSend.pdf.rootiunik.159-765-CA4MD5
05bb10a8e684e842e0594fd0352f0f5a
SHA1805b09c65a2b47f56576d0462c7d0509428e162b
SHA25691703ec17ed9e1bdb16619d8a500df7f2d7fbbeb1b28c1857edc4c5f888165eb
SHA5129d2c1f0e13b8dbc0e20ae689cd89a1d69d66ac0d4078ef47237b1a04157b3f63427f9642f406fc1faa8acfc34d2e8b630cd49c593a18db256b45cfe0a8a12f0f
-
C:\Users\Admin\Desktop\SendTrace.pot.rootiunik.159-765-CA4MD5
66a198fd5d4981d4b4aeae9c0ef8a81f
SHA189359fcfe3bccb4d6f173f579bf8edc5c0000411
SHA256ea2e39b6d564f1a28e12c0cd7a9896d9e43ff809284052a3b1f425c364857f93
SHA512c85ba487a36c9ff2aa93417c0d208f2574844810c50ed3ee18b296443e8bf2ff9e543c8ef3a7ffdce3f5bf5c7e5e3f110589be52a9935079ebc5cdd2212fffe8
-
C:\Users\Admin\Desktop\SkipSave.wav.rootiunik.159-765-CA4MD5
a741169a023a70f87e3cf2d03345c45d
SHA123b868c2e972eeff32d3c5577015e23a319eb6cd
SHA2569600f744ca296a5118b2ba3fd70780c74df2bb000b7a29a817851637deff5045
SHA512ccdae562cc640bfd180882b3491a7156b68db5f0b03758366a59bcb19edfa99b1ee0b64406fcf272ec42c1696e55ae5eb3c3050d9af545151a80ea3b22c62e6d
-
C:\Users\Admin\Desktop\StartCheckpoint.DVR.rootiunik.159-765-CA4MD5
210da1bf4917cd2592f7f00b6479c176
SHA1d8f815c724c9f8ab2ccfe97393c819dce783f481
SHA256880b4fdb5090a634bb0720e34816a6dee0eab25229d4e24ece3f338848568622
SHA51279052555e0110c54b440dabdf778574424924922c88f10dceae5c5d13a1f1a606eac1fd4b59754f6500e405446ba9a3263194f857cfd04ef6113bbcec8129413
-
C:\Users\Admin\Desktop\SubmitEnable.vst.rootiunik.159-765-CA4MD5
5c3f6431ab39f5b3d0741a71e695ba81
SHA12296a98378c11f29cf3f0f599ccfda0b5248f803
SHA25679aa7fda68d45cc74a903c4a279955519e1927e208b010c45f976787aa2784c5
SHA512f33c9561f23c4fd11260a0608f148982026bd9dbd4faf7815419661514cb862ce47df0a4002f1b4afd6737b4f50a11d641b813325883b9f4e0a4d60ed8848764
-
C:\Users\Admin\Desktop\SubmitSend.contact.rootiunik.159-765-CA4MD5
6cc3ff6ca0c00e6ad57518fb918a29e9
SHA17b7b912c074a786c3db8cecf65673f097f3ca006
SHA256ff2f99d6964fca102f8d41e78331499a472dfa71ce076b75b07271fc3305bbf7
SHA512022bd55892b7534684878ed94132a4c381270faa472c5c069f92114c627756912f38a311bf86931bfa892cfb025837c4a0a93cc8688c45e452610c9cd5b632ce
-
C:\Users\Admin\Desktop\SuspendRegister.svgz.rootiunik.159-765-CA4MD5
1c6128111bda5878c4f2f1661268bbd1
SHA14c8dbc7285828facd5c8b1e3e8bf2e68901452a7
SHA25657dbe026fc6e2618bf9a4f07f0568c9730dfc024656cbee86e3e183421fb4208
SHA512c6046e4fd107c734c80d25153dd0bddedb6d230236e2e2fab8736d6307731061d9642efc3f5df3ca701d201c1272e083247639d95fd9d3a7b3de7e8bf4066131
-
C:\Users\Admin\Desktop\SwitchComplete.xps.rootiunik.159-765-CA4MD5
3db03c5e22ec9436ff67a6c868519fe5
SHA129d8c670bc7846d0fabfccf5ea75e941b4db6d82
SHA256cb5a3043f6eb024febcb3fed46fa97645c1ccf07fcb758414e4bc1deb6f92655
SHA51275068066dfcb86e63178eb47fd0b2e1b680340c7502aadf767431e04f41f2a75422f21215c588855fcd9f55752b57cef9119f1f29e82aec45c3f41b0f006cbdf
-
C:\Users\Admin\Desktop\TraceFind.ADT.rootiunik.159-765-CA4MD5
f3ad370505a044685aafa3bbc208ee9b
SHA114b360954b7dd9f687f0782cf51738ae71674e64
SHA256c007e9fae9d7cc4bff367394f6740c6fa74aa23c24a8c76fdeeac95978b068a9
SHA512c14c47e79a7fee75b3424cea56f9ef45d658b21e0c32cfeda4c487d37719477a9d2391448b112dd89a76d707a92dbbb5e54566ae70a051727f0a747006190b91
-
C:\Users\Admin\Desktop\UndoTest.snd.rootiunik.159-765-CA4MD5
e98ee1afc92fc626a7bc24ca80996d8b
SHA1cbf4155149e171d829629a68e94513f34089f3cb
SHA2569f8fe30a7de1c6f48794f01e632132f930027c88d32d4201c87919bcc428f818
SHA512176e35e1169256b6fefcb6ee73e827541162956477c7e95d1de96edf5fd401c6f75564027abb1b2c2ad9311b1eea8d3611f0a844206919486e6de8f2aa7facc3
-
C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTMD5
576bc8ae6c484340945fd87dce032c4e
SHA1e9511d564a4dd52ef90f3bac3986cb679518c02d
SHA2563ed251be8e40c39ee71cbb5a7e8602ff4b973c845b031472d9841faaf204caa8
SHA5129b26b95d0923f2393e3f6f2286d0f15a31a5eec7a8cdfa4d0ee0391ed002b7400e8cf7153ea1af28d15ff0b34a26c85f5a3c7c1e6f7e366621396e0983b13fba
-
memory/864-65-0x0000000000000000-mapping.dmp
-
memory/932-73-0x0000000000000000-mapping.dmp
-
memory/952-101-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/952-99-0x0000000000000000-mapping.dmp
-
memory/1032-63-0x0000000000000000-mapping.dmp
-
memory/1252-76-0x0000000000400000-0x0000000002BBE000-memory.dmpFilesize
39.7MB
-
memory/1252-68-0x0000000000000000-mapping.dmp
-
memory/1284-66-0x0000000000000000-mapping.dmp
-
memory/1392-64-0x0000000000000000-mapping.dmp
-
memory/1484-69-0x0000000000000000-mapping.dmp
-
memory/1576-71-0x0000000000000000-mapping.dmp
-
memory/1680-67-0x0000000000000000-mapping.dmp
-
memory/1692-102-0x000007FEFB681000-0x000007FEFB683000-memory.dmpFilesize
8KB
-
memory/1724-72-0x0000000000000000-mapping.dmp
-
memory/1832-61-0x0000000000400000-0x0000000002BBE000-memory.dmpFilesize
39.7MB
-
memory/1832-60-0x0000000000220000-0x0000000000257000-memory.dmpFilesize
220KB
-
memory/1832-59-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1868-62-0x0000000000000000-mapping.dmp