Analysis
-
max time kernel
111s -
max time network
110s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-04-2021 10:04
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210410
General
-
Target
sample.exe
-
Size
486KB
-
MD5
237d76f961f8f550c4c4bbfab30153a6
-
SHA1
5682d74259f61ac05b4099159ebf62377fd7586f
-
SHA256
d07923f73f1b5f41ab02c3239468bc0eacfe31c02b84814b6bc522a98d9b4b22
-
SHA512
c3dc0cf584a3d6b074709174bb890a3c65412c5aff07c0ffa5d7fee0e3f9f02d4efb094913443349338e469bd6b9a6d73340e4ae28ebc73cb2d9f952ae2570c5
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
pecunia0318@airmail.cc
pecunia0318@goat.si
pecunia0318@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1224 wbadmin.exe -
Loads dropped DLL 2 IoCs
Processes:
sample.exesample.exepid process 484 sample.exe 1532 sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
sample.exesample.exedescription pid process target process PID 484 set thread context of 1568 484 sample.exe sample.exe PID 1532 set thread context of 1700 1532 sample.exe sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar sample.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00330_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\readme-warning.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Creston sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf sample.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\readme-warning.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\readme-warning.txt sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0217698.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\readme-warning.txt sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1652 vssadmin.exe -
Processes:
sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
sample.exepid process 1568 sample.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sample.exesample.exepid process 484 sample.exe 1532 sample.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1108 vssvc.exe Token: SeRestorePrivilege 1108 vssvc.exe Token: SeAuditPrivilege 1108 vssvc.exe Token: SeBackupPrivilege 904 wbengine.exe Token: SeRestorePrivilege 904 wbengine.exe Token: SeSecurityPrivilege 904 wbengine.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
sample.exesample.execmd.exesample.exedescription pid process target process PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 484 wrote to memory of 1568 484 sample.exe sample.exe PID 1568 wrote to memory of 1428 1568 sample.exe cmd.exe PID 1568 wrote to memory of 1428 1568 sample.exe cmd.exe PID 1568 wrote to memory of 1428 1568 sample.exe cmd.exe PID 1568 wrote to memory of 1428 1568 sample.exe cmd.exe PID 1428 wrote to memory of 1652 1428 cmd.exe vssadmin.exe PID 1428 wrote to memory of 1652 1428 cmd.exe vssadmin.exe PID 1428 wrote to memory of 1652 1428 cmd.exe vssadmin.exe PID 1428 wrote to memory of 1224 1428 cmd.exe wbadmin.exe PID 1428 wrote to memory of 1224 1428 cmd.exe wbadmin.exe PID 1428 wrote to memory of 1224 1428 cmd.exe wbadmin.exe PID 1428 wrote to memory of 1776 1428 cmd.exe WMIC.exe PID 1428 wrote to memory of 1776 1428 cmd.exe WMIC.exe PID 1428 wrote to memory of 1776 1428 cmd.exe WMIC.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe PID 1532 wrote to memory of 1700 1532 sample.exe sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe" n15683⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe" n15684⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\845939759MD5
39fde6d7b2a5dd3b55c2504bf80eaa1f
SHA19bf70a8887e5f405026c0a64ac1465b5d66dbaf0
SHA2567378922ccafe6f374522963c64d851167a7e810a135f0d5d374e5b3583055154
SHA51205978ffd5e1879e5cdfb5a93661a617a6ff74f7873249520699e3a68f2a813e38865b32cdd61f8a435165b739b95d63e7502b4b223e77e97a40a62a50ec3d270
-
C:\Users\Admin\AppData\Roaming\845939759MD5
436bc2a3e292a384e32f4b54a14413f7
SHA138b402d9bdab92bccbc175a02b8306fb7d1fdd97
SHA25694c371e2963abb1cfe21de58c882712b350613387b381639b3352a0f1216d4c9
SHA512aeb281ae34d6e0b9d0f0b50a7370b92969579106c7f3246bd2a332ea1ab74bb05b5798ef3bd45b98b1558bf5da0d7505fec2e7e40bf379caf3f17798de297753
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkMD5
dddd61b91f2edea4cc818a41b665c7eb
SHA153ec4124ff31666ddde16743856f9d2ed640d616
SHA25619097cb44a292ddf757d6a11aff9acd49401086aab8beced47909ba968ab47e1
SHA5127c8528c687989d35a61ad836df4ba22030421c0a681d489ac57063eb23e272f013aa5062dcfe70370841e121b744b1b9d459ab79a00925a315ee4b57714998f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkMD5
8784e719f25d687af32360c89b87bbb3
SHA1f65be84be7786ca34f20709791e9ec1e05549060
SHA256677be18139a4ef1de574afa712735a58329a5dcf768dc4dd6c9f8b46b04b81c3
SHA51248e7b42f4f164cdeade6c8d11ec3b9612eb118e9eb1d04bc8ffbaeb6b0a843acd6a69db67e3141e95ac1bd7a3718790e2fb364993a26ec4e9ea1a71f24c1c1b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
a74d749e0e9961d702dec23afd3f7d1a
SHA15ea45c208ec7c382deef07a74e9f564190630bba
SHA256a2f64cbc37acac83912a0896745088d70a25658a7f178d2f4e96647f1df36cde
SHA51211dfa5d4ccd21853b9b3daecd608601c5182f994931c773d786c2e17f6381f15e94b618045e6c8ddf10ee9cf9433db3387bab9de011f6ccf4f0867400da30a71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
bd748c580a776de0f29af50fb9cac9ac
SHA19dcb94ad0cb7a2fbae57709db9946ac043de8d05
SHA25636861e2a966db3581940acfd197597fb6297c929a1876914f4535bf849762a9b
SHA51272f0bab43ca3db63654276438b070ffd991b29c1ea6a8c0044e6220c16a66a7eadbaebe9b0047c72c453b9a8a2ed80dc7cf22eaad62c2d0463a0f2e0fc8e4206
-
\Users\Admin\AppData\Local\Temp\nss52B3.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nss7E93.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/484-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1224-71-0x0000000000000000-mapping.dmp
-
memory/1224-72-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1428-64-0x0000000000000000-mapping.dmp
-
memory/1568-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1568-61-0x0000000000405680-mapping.dmp
-
memory/1652-69-0x0000000000000000-mapping.dmp
-
memory/1700-74-0x0000000000405680-mapping.dmp
-
memory/1776-73-0x0000000000000000-mapping.dmp