Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-04-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
e826.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e826.exe
Resource
win10v20210410
General
-
Target
e826.exe
-
Size
371KB
-
MD5
e38ccca299db41904493bfc51ced614d
-
SHA1
4b9a2c510913dc92cf8f5f879ab198fe5e54f544
-
SHA256
fa789f56ef3f5075fc02c53cd937fe1580ae46217cf0a82bd4871043276fb086
-
SHA512
961b03275cd76f4074e1c622216903678067f6115ce6f004be3c62939a13653891f87718e587a9155de999bf9d7c167a687290b7bab40443cf3395f9486ce654
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
rootiunik@cock.li
TimothyCrabtree@protonmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e826.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\OptimizeDebug.tiff e826.exe File opened for modification C:\Users\Admin\Pictures\RepairGet.tiff e826.exe File opened for modification C:\Users\Admin\Pictures\WatchReceive.tiff e826.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2388 notepad.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e826.exedescription ioc process File opened (read-only) \??\Z: e826.exe File opened (read-only) \??\J: e826.exe File opened (read-only) \??\B: e826.exe File opened (read-only) \??\Q: e826.exe File opened (read-only) \??\L: e826.exe File opened (read-only) \??\I: e826.exe File opened (read-only) \??\H: e826.exe File opened (read-only) \??\F: e826.exe File opened (read-only) \??\X: e826.exe File opened (read-only) \??\W: e826.exe File opened (read-only) \??\R: e826.exe File opened (read-only) \??\E: e826.exe File opened (read-only) \??\O: e826.exe File opened (read-only) \??\M: e826.exe File opened (read-only) \??\T: e826.exe File opened (read-only) \??\S: e826.exe File opened (read-only) \??\P: e826.exe File opened (read-only) \??\N: e826.exe File opened (read-only) \??\K: e826.exe File opened (read-only) \??\Y: e826.exe File opened (read-only) \??\V: e826.exe File opened (read-only) \??\U: e826.exe File opened (read-only) \??\G: e826.exe File opened (read-only) \??\A: e826.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
e826.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer14.xml e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\12h.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\common.lua e826.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Jack_Of_All_Trades_Unearned_small.png e826.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-150.png e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\ninja.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-16_altform-unplated.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.scale-200.png e826.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png e826.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-unplated_contrast-white.png e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\plugin-selectors.css e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui e826.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\AppList.scale-200.png e826.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Tile\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-black.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png e826.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\InGame_Controls.jpg e826.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms e826.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-black.png e826.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\ui-strings.js e826.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_silver.png e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Theme\theme_mobile.respack e826.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml e826.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.rootiunik.A38-0F7-12B e826.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-400.png e826.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar e826.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.rootiunik.A38-0F7-12B e826.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\ProgressBar\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js e826.exe -
Drops file in Windows directory 1 IoCs
Processes:
e826.exedescription ioc process File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2204 vssadmin.exe 932 vssadmin.exe -
Processes:
e826.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 e826.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e e826.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exevssvc.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3052 WMIC.exe Token: SeSecurityPrivilege 3052 WMIC.exe Token: SeTakeOwnershipPrivilege 3052 WMIC.exe Token: SeLoadDriverPrivilege 3052 WMIC.exe Token: SeSystemProfilePrivilege 3052 WMIC.exe Token: SeSystemtimePrivilege 3052 WMIC.exe Token: SeProfSingleProcessPrivilege 3052 WMIC.exe Token: SeIncBasePriorityPrivilege 3052 WMIC.exe Token: SeCreatePagefilePrivilege 3052 WMIC.exe Token: SeBackupPrivilege 3052 WMIC.exe Token: SeRestorePrivilege 3052 WMIC.exe Token: SeShutdownPrivilege 3052 WMIC.exe Token: SeDebugPrivilege 3052 WMIC.exe Token: SeSystemEnvironmentPrivilege 3052 WMIC.exe Token: SeRemoteShutdownPrivilege 3052 WMIC.exe Token: SeUndockPrivilege 3052 WMIC.exe Token: SeManageVolumePrivilege 3052 WMIC.exe Token: 33 3052 WMIC.exe Token: 34 3052 WMIC.exe Token: 35 3052 WMIC.exe Token: 36 3052 WMIC.exe Token: SeBackupPrivilege 4036 vssvc.exe Token: SeRestorePrivilege 4036 vssvc.exe Token: SeAuditPrivilege 4036 vssvc.exe Token: SeIncreaseQuotaPrivilege 3052 WMIC.exe Token: SeSecurityPrivilege 3052 WMIC.exe Token: SeTakeOwnershipPrivilege 3052 WMIC.exe Token: SeLoadDriverPrivilege 3052 WMIC.exe Token: SeSystemProfilePrivilege 3052 WMIC.exe Token: SeSystemtimePrivilege 3052 WMIC.exe Token: SeProfSingleProcessPrivilege 3052 WMIC.exe Token: SeIncBasePriorityPrivilege 3052 WMIC.exe Token: SeCreatePagefilePrivilege 3052 WMIC.exe Token: SeBackupPrivilege 3052 WMIC.exe Token: SeRestorePrivilege 3052 WMIC.exe Token: SeShutdownPrivilege 3052 WMIC.exe Token: SeDebugPrivilege 3052 WMIC.exe Token: SeSystemEnvironmentPrivilege 3052 WMIC.exe Token: SeRemoteShutdownPrivilege 3052 WMIC.exe Token: SeUndockPrivilege 3052 WMIC.exe Token: SeManageVolumePrivilege 3052 WMIC.exe Token: 33 3052 WMIC.exe Token: 34 3052 WMIC.exe Token: 35 3052 WMIC.exe Token: 36 3052 WMIC.exe Token: SeIncreaseQuotaPrivilege 2308 WMIC.exe Token: SeSecurityPrivilege 2308 WMIC.exe Token: SeTakeOwnershipPrivilege 2308 WMIC.exe Token: SeLoadDriverPrivilege 2308 WMIC.exe Token: SeSystemProfilePrivilege 2308 WMIC.exe Token: SeSystemtimePrivilege 2308 WMIC.exe Token: SeProfSingleProcessPrivilege 2308 WMIC.exe Token: SeIncBasePriorityPrivilege 2308 WMIC.exe Token: SeCreatePagefilePrivilege 2308 WMIC.exe Token: SeBackupPrivilege 2308 WMIC.exe Token: SeRestorePrivilege 2308 WMIC.exe Token: SeShutdownPrivilege 2308 WMIC.exe Token: SeDebugPrivilege 2308 WMIC.exe Token: SeSystemEnvironmentPrivilege 2308 WMIC.exe Token: SeRemoteShutdownPrivilege 2308 WMIC.exe Token: SeUndockPrivilege 2308 WMIC.exe Token: SeManageVolumePrivilege 2308 WMIC.exe Token: 33 2308 WMIC.exe Token: 34 2308 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
e826.execmd.execmd.execmd.exedescription pid process target process PID 3944 wrote to memory of 3756 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3756 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3756 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3776 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3776 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3776 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3596 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3596 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3596 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3840 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3840 3944 e826.exe cmd.exe PID 3944 wrote to memory of 3840 3944 e826.exe cmd.exe PID 3944 wrote to memory of 2144 3944 e826.exe cmd.exe PID 3944 wrote to memory of 2144 3944 e826.exe cmd.exe PID 3944 wrote to memory of 2144 3944 e826.exe cmd.exe PID 3944 wrote to memory of 1188 3944 e826.exe cmd.exe PID 3944 wrote to memory of 1188 3944 e826.exe cmd.exe PID 3944 wrote to memory of 1188 3944 e826.exe cmd.exe PID 3944 wrote to memory of 2044 3944 e826.exe e826.exe PID 3944 wrote to memory of 2044 3944 e826.exe e826.exe PID 3944 wrote to memory of 2044 3944 e826.exe e826.exe PID 3756 wrote to memory of 3052 3756 cmd.exe WMIC.exe PID 3756 wrote to memory of 3052 3756 cmd.exe WMIC.exe PID 3756 wrote to memory of 3052 3756 cmd.exe WMIC.exe PID 2144 wrote to memory of 932 2144 cmd.exe vssadmin.exe PID 2144 wrote to memory of 932 2144 cmd.exe vssadmin.exe PID 2144 wrote to memory of 932 2144 cmd.exe vssadmin.exe PID 1188 wrote to memory of 2308 1188 cmd.exe WMIC.exe PID 1188 wrote to memory of 2308 1188 cmd.exe WMIC.exe PID 1188 wrote to memory of 2308 1188 cmd.exe WMIC.exe PID 1188 wrote to memory of 2204 1188 cmd.exe vssadmin.exe PID 1188 wrote to memory of 2204 1188 cmd.exe vssadmin.exe PID 1188 wrote to memory of 2204 1188 cmd.exe vssadmin.exe PID 3944 wrote to memory of 2388 3944 e826.exe notepad.exe PID 3944 wrote to memory of 2388 3944 e826.exe notepad.exe PID 3944 wrote to memory of 2388 3944 e826.exe notepad.exe PID 3944 wrote to memory of 2388 3944 e826.exe notepad.exe PID 3944 wrote to memory of 2388 3944 e826.exe notepad.exe PID 3944 wrote to memory of 2388 3944 e826.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e826.exe"C:\Users\Admin\AppData\Local\Temp\e826.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\e826.exe"C:\Users\Admin\AppData\Local\Temp\e826.exe" -agent 02⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\Desktop\CompressUpdate.m3u.rootiunik.A38-0F7-12BMD5
3c7b35c69b0d70507a5377dde0452347
SHA1dc230c535e98111f223839c17ae48f73bfa2fcd8
SHA2565f1a1636dabd0316c1e0db62529398bdbe511deaabd3796cf0fd4a4b0195883d
SHA512b9a3001eaa36eff612f8a2f7d45318733c70e58876edb4ac8a627f0002948f4335570e4529b72af475d2013764fa3b5b32ea27bf614e62a8fd58dc01c6678eb3
-
C:\Users\Admin\Desktop\ConvertFromEnter.vstm.rootiunik.A38-0F7-12BMD5
fa2e0af31e19386a2d085fff843d719b
SHA1563ea5bdbb3f95d5addda8a0a811c58e4e3a3e14
SHA2563793deb3702b80285707879c299384c7166a54cdbc6abee8103a300df6e3de06
SHA5121e0e1ffc606d171029e6dc505deca0bfa62e4046d7219be0f3e66026ad133c625d529ab630604de8f675146754e014efdb6b32944df271f18c701c9e41fe6418
-
C:\Users\Admin\Desktop\ConvertProtect.png.rootiunik.A38-0F7-12BMD5
bbafe49cf5a842049765f8d095a487cd
SHA10d381ff077c4ea5c87d23ef798b78cfbdecb5415
SHA25603648f864fdcf39553a550c97f76f09e1e75553b793810b024e94fca06352333
SHA5124afe7246b293403db57155d1ba83e1ed990d2c9afa4ecc40f4f4159199b14ca4a99c4181fcedff0b5b2c345635e3204c2456e5424c0e096324bd27a68646b0f3
-
C:\Users\Admin\Desktop\DenyOpen.html.rootiunik.A38-0F7-12BMD5
8d0eee59e19b4032b2d470b046240627
SHA1257b0b3bd459c93dfdfe3a3317101282a65198ab
SHA2562fdce71a8922609bc0a7f67ae3ac4a285e23525423f1deb99f112bf73d2ecaff
SHA5122a896c404ef6dc172b471b7fcd300ef1705fa3e5fe02e560bf695d78fed420777cdd4414814288d3141996f1ef74688a139df74a5c96957ddbcd6a1cd83e1f38
-
C:\Users\Admin\Desktop\EnableRedo.wdp.rootiunik.A38-0F7-12BMD5
b0c7d771f47152908cded715ccbe3e59
SHA13a121d16401f2661e7c0f0612aafe7ef64200cff
SHA256b8fef85e12e4a9c521892a5727c2ed8b943bb047632d6e36f5f4088b536b863f
SHA512934e6244993157c7832820cbc74b941b7749872b4d2e3515432de4918ef21c254fbfe2d4ddeed25d1d776c212a8c3b33e640fcd3149c7a51db60ac65c331871a
-
C:\Users\Admin\Desktop\GetSearch.zip.rootiunik.A38-0F7-12BMD5
3461d3d017b3a67cbd616eae7c346b40
SHA170d8e22ba41bc9efda8a9e24c6cd6bc22d24253f
SHA256de0496e7da5d8afc4c39c8daef84dc70d799e986192c4906fcfc8bd582d3a231
SHA512f4b14c6d496ed4072fd4ac8e3b810363eab1c285112a9faf3738bababd2b0b5e61aafeffc1c6a00ec8c773e5147f7d384dbc5c466af07aee0c590e6b416e811d
-
C:\Users\Admin\Desktop\JoinDisable.gif.rootiunik.A38-0F7-12BMD5
66e7205b88755e871656b18445573363
SHA1346193bb5131bd90573ab07bfdb547e41016abb9
SHA256577ee1c639ae532d7bceedfb8d6deddbffa0d5ffa399b78b4f56c81b1014016f
SHA512b9631b7d760f7a8b8978196bccb53a9388948862c7130084efc0a63f4ffe8d9a7ac0c3ec23f60dd002d3413aea1742b59bbdb23027f17db68c4b47b87c426ecf
-
C:\Users\Admin\Desktop\MeasureConnect.mov.rootiunik.A38-0F7-12BMD5
07f7eca017ae311c99e95e1812f0c91a
SHA13d038c9d72bca23ec3dd5af50327e681cfd2431b
SHA256ef9846a5b48d381e42d1cd83194931b59ddaa74d310b3a88b489457cd4d7ef58
SHA512d9b8bd1897d1dd0552af3e00485592b86284c9927cdbe4f02e3adaac4247cc35bc45d8c6a7416ddf0f90ef6108033d8581ebf23fd6d6a6101d3c68fab60c8c60
-
C:\Users\Admin\Desktop\MergeRename.temp.rootiunik.A38-0F7-12BMD5
b519bf1bffaa94592a4e4d4fc98953e0
SHA139a9278d5c49700bdc7e81559d1b9a444dbf4d0f
SHA25696b60dbedbb4555b0c0c489fa9fe3df20463d264410dbfe362fba3b49929b77b
SHA5128de8c8cde8b9354ac43e870ecd42e9a4099044da0c24f80ab35a1b2d141ae6d3f438a2a0548bfb7ba47832faf2f35dc2ddd6af793d511804ebd8ab5a2d592d0a
-
C:\Users\Admin\Desktop\RedoClose.au3.rootiunik.A38-0F7-12BMD5
c2452935a58f753fd36886f856c1c042
SHA1b0a5c4ae3ac056d2247e89bdad85a3fb3254b959
SHA2569956923802935204246342eb1db8011229db854d7268ded2552f074013bb22e7
SHA512e2cdf5f569ce56e2b1bcbda477aabda62de90f2191396df59ce1236c7a020f75512f0c461e6489782f899bc4956bdcd630d1a014b8f3678baf184c22c5d8dd78
-
C:\Users\Admin\Desktop\RedoStart.crw.rootiunik.A38-0F7-12BMD5
ba17bbbc7546e274308950946440b172
SHA128d528a114a6b02ba247c81c82f53e2dc61d7706
SHA256b78ce620e838c990700be54a166645d2bce30dab67894756ae48ee9667f5db04
SHA512c81b36a4f8c382994f7595e2840f381548d9ebe0cbd6d5523b547bf702695d8cafe511fb6065666b3cc58bbaa702bd36a19b26ddf1294ab19338fa8833eac604
-
C:\Users\Admin\Desktop\RepairRedo.vbe.rootiunik.A38-0F7-12BMD5
70f7ad310bca0a41fb027bd23cca577b
SHA15e3580b3e348b72971bdc782dd4e42a2bb2e8f7d
SHA256a9f123111c7c04f878d915368bfbaf1bbe4fd22315516c14184722f82bb7cd8f
SHA5127f0eabf04a13f5b062023107d3a89a47b67d68cae3817747d66dc149da2fcd5105ff84475275341bdc577b30a8248f1e7fc4d33d55d44bebb4fa713d36ab76f7
-
C:\Users\Admin\Desktop\ResetInvoke.ppsx.rootiunik.A38-0F7-12BMD5
ca410ff23a73c1193bbed466a1979299
SHA1a37cf57ba672706f2d9b1b4baa183c8dc5d2876b
SHA25642ef9e320574b8a1fc93de8be9d43f01bd315ebc8c6175622377aeaa4c48c227
SHA512eb4af9244a6cdb11f794bb47b117221daf3e5ce73c0474b3bd38befc42df776a524956e34b044a072576c1b2b267c6065d53f6bac7dbf141dc3ae097a60842dc
-
C:\Users\Admin\Desktop\RestoreSelect.ram.rootiunik.A38-0F7-12BMD5
6d0627ea66397247b5bf6110b9dc96b9
SHA1b1c9c9664a7d79fa9470bf8ece5d4d938a0e741f
SHA256c67fbac38af777f0871cd22b5733ece556345349b52f24b5eb473abe6e2d73e6
SHA512ab77d0c264552a8ae0db216ddf374a2644071fe081fec3a83d7fe0ac065cb7f6fb424bae30ef504e0208ada6210c0af15f965ac936bfe4aa50431c62a340c350
-
C:\Users\Admin\Desktop\RevokeGroup.scf.rootiunik.A38-0F7-12BMD5
4e772a837e33cb09973e3e3480357529
SHA1d57b364f06f82e0edf94c8cde8d9276d1ce2ca36
SHA2564debb21757220f4250a41840654042af39bc7f80dfa5a57dac6609b382ace35c
SHA5123e8f2079286a582327287190b77149c55564ce4f945785486d58f98c1619acafbf8e9d9e08702248a62e42ba1502e18aa202f67e39e01ae4becf0aff304d1e50
-
C:\Users\Admin\Desktop\RevokePush.m3u.rootiunik.A38-0F7-12BMD5
845755406531406e53046009abde07ba
SHA13fac6b269a849a7dcb089a76b3eb0cc5c6a6a4f1
SHA256660a3ffc6d1a9189533b40563eb86fadc150ebd86d3eb31b11fa75a02771c8b7
SHA512a2f0587a078ae0dc101fe166398d4bb1bbc0f2ecef154d5ff67fcc60982ddedb0233e33963053c9460970a246f5bafdff27f7e5a9d78cf520ad98f4ec79395f4
-
C:\Users\Admin\Desktop\SearchPing.ico.rootiunik.A38-0F7-12BMD5
9d703a0522935fa4e7f41c39a095cf9b
SHA15f130048127faece2c95572a83a3b170943634ee
SHA2560095ca35c62e574d611e27956541833e4a3a3e9fe5015114d6831d255ab3280a
SHA512022df0cb2c2b4d5f59a2663b40e704069e7f873c1aa003e36b966c345b400095095d062b76a4e39fb07717ef3b4e095b6f589f3459762ba4ebb3ae20e58c75db
-
C:\Users\Admin\Desktop\ShowMove.xps.rootiunik.A38-0F7-12BMD5
b26b6eea4bc7c2a45f7e681034a2a1be
SHA17194eea3acdf90a95658396e7a33a7d208d12a37
SHA256301a17608a547bdd60fc357c393b4329d152be850638e7df5fd40e2270364bfd
SHA51297e79413089eda3b299abd9c6955f725c7d5fbde04ace58e7956a9ded7bcf8c588141f2b6cc2f7ef0a8935c2203762b96169e1d1d0ffb16b014f821a551bef41
-
C:\Users\Admin\Desktop\StartMeasure.pcx.rootiunik.A38-0F7-12BMD5
425ca685072317daf77b18f00c2f1dda
SHA1e71a0c2a5288477678ba54b41340088c5cc71ed8
SHA256caaaafcb452f10f569e83c7590ad43d56061ecec9b9ade59044b7784c94ec03b
SHA51283eeeb958b7b5810e4dc7819a47e756dc5b31118d76e73bc8e33ee06a909c013a87e4c08b42063f4dea87efd3cf17a06e87539f04c20f7f7ba5d9de443022cd5
-
C:\Users\Admin\Desktop\StopSplit.ttc.rootiunik.A38-0F7-12BMD5
7e527d0c6ed0897a0133b63aa9bcc269
SHA1a0e0af0b9596b96025b3b85f6415ed885e2df72f
SHA2562143c6452ca1caa7f652c1661e86a1ebb4a1426caa19c8c32ae6ccf0133061a8
SHA5128ea2255695f5a1c8301176aaddefc0ac44e31866bc3b6088cae3769e81a4c2a4326799e795f479b4531eb9e0e7062ae210eb516a540e57047b2c100e468b5bbc
-
C:\Users\Admin\Desktop\UndoRequest.otf.rootiunik.A38-0F7-12BMD5
66e3d1760cc8f8d4958fef3db3c671c3
SHA12a6993d3f42bbfe84e5bcd936439fc24514eb7ce
SHA256cbb927d0bf165ba403086dedb18ef7ee2f8e4982439fd4ee6294627cb3627018
SHA5123d24dd79c15262c02cf448982a35a3f54e8eb9af3d7955989943fd36a68cff7dcda7a1b12bd49c9cf388afa5fd667d3a055d8d0181748153528c87e2bef7c178
-
C:\Users\Admin\Desktop\UnpublishShow.M2T.rootiunik.A38-0F7-12BMD5
4b64ce1e1398e237540d686c4345985b
SHA1f3a78852d478eafef24bb5ed08fc28087bdf3913
SHA25642e6d5efb7868d4af36bb19cc57919ae90cae66cbba78d842a3f3f7403898931
SHA512f7e0af722702012bf02b337e0e046d7f72b94d00d73a34493d2c9bf2a76866b8f0096143d223dca05e85bc368e282aa364867fee57fe3d7bd103cf525bec6364
-
C:\Users\Admin\Desktop\WatchStop.mov.rootiunik.A38-0F7-12BMD5
933d1bbb2bf59948f2729aa29f6f1c71
SHA151cf7aa01381fe05b5558ba2479ee1eb3c4fc327
SHA2567a5e0b1d96cd15b1616d2a375447a02c7836c4d19c9543b836db153bd3e99848
SHA5124ba412f4f91f43a15536e2ef21b45334d82571b9fa7f9b443a0a0559672a4f24d4c3b42586f0288d276125adb00558a6e3f420a0a83b80260af9be29945f8eb4
-
memory/932-124-0x0000000000000000-mapping.dmp
-
memory/1188-121-0x0000000000000000-mapping.dmp
-
memory/2044-122-0x0000000000000000-mapping.dmp
-
memory/2044-128-0x00000000024C0000-0x00000000024F7000-memory.dmpFilesize
220KB
-
memory/2044-129-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2144-120-0x0000000000000000-mapping.dmp
-
memory/2204-127-0x0000000000000000-mapping.dmp
-
memory/2308-126-0x0000000000000000-mapping.dmp
-
memory/2388-153-0x0000000000000000-mapping.dmp
-
memory/2388-154-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/3052-123-0x0000000000000000-mapping.dmp
-
memory/3596-118-0x0000000000000000-mapping.dmp
-
memory/3756-116-0x0000000000000000-mapping.dmp
-
memory/3776-117-0x0000000000000000-mapping.dmp
-
memory/3840-119-0x0000000000000000-mapping.dmp
-
memory/3944-114-0x0000000000970000-0x0000000000ABA000-memory.dmpFilesize
1.3MB
-
memory/3944-115-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB