Analysis
-
max time kernel
116s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-04-2021 10:04
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210410
General
-
Target
sample.exe
-
Size
486KB
-
MD5
237d76f961f8f550c4c4bbfab30153a6
-
SHA1
5682d74259f61ac05b4099159ebf62377fd7586f
-
SHA256
d07923f73f1b5f41ab02c3239468bc0eacfe31c02b84814b6bc522a98d9b4b22
-
SHA512
c3dc0cf584a3d6b074709174bb890a3c65412c5aff07c0ffa5d7fee0e3f9f02d4efb094913443349338e469bd6b9a6d73340e4ae28ebc73cb2d9f952ae2570c5
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
pecunia0318@airmail.cc
pecunia0318@goat.si
pecunia0318@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3220 created 2124 3220 svchost.exe sample.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 2044 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SyncAdd.tiff sample.exe File opened for modification C:\Users\Admin\Pictures\InvokeSubmit.tiff sample.exe -
Loads dropped DLL 2 IoCs
Processes:
sample.exesample.exepid process 3984 sample.exe 1464 sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
sample.exesample.exedescription pid process target process PID 3984 set thread context of 2124 3984 sample.exe sample.exe PID 1464 set thread context of 2756 1464 sample.exe sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-125_contrast-white.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Paint_Logo_with_Trademark_ABOUT_POPUP.png sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg3.jpg sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png sample.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.ps1 sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg sample.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pm_16x11.png sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1725_32x32x32.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\send.white.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_1_2bp.png sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\readme-warning.txt sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_unselected_18.svg sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png sample.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\readme-warning.txt sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\LargeLogo.scale-125.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-150.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_32x32x32.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\OneConnectLargeTile.scale-100.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png sample.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1 sample.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\readme-warning.txt sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cool.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-black.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\Assets\XboxNotificationLogo.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_24x24x32.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriLI.ttf sample.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-white.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_12d.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ga_16x11.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-200.png sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\readme-warning.txt sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Answer.m4a sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Preview\RelivePreviewControl.xaml sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-36.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Toast.svg sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_20x20x32.png sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\readme-warning.txt sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\readme-warning.txt sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\AppxSignature.p7x sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5034_40x40x32.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\dk_60x42.png sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-150.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2668 vssadmin.exe -
Processes:
sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sample.exepid process 2124 sample.exe 2124 sample.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sample.exesample.exepid process 3984 sample.exe 1464 sample.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 3220 svchost.exe Token: SeTcbPrivilege 3220 svchost.exe Token: SeBackupPrivilege 2760 vssvc.exe Token: SeRestorePrivilege 2760 vssvc.exe Token: SeAuditPrivilege 2760 vssvc.exe Token: SeBackupPrivilege 3816 wbengine.exe Token: SeRestorePrivilege 3816 wbengine.exe Token: SeSecurityPrivilege 3816 wbengine.exe Token: SeIncreaseQuotaPrivilege 2324 WMIC.exe Token: SeSecurityPrivilege 2324 WMIC.exe Token: SeTakeOwnershipPrivilege 2324 WMIC.exe Token: SeLoadDriverPrivilege 2324 WMIC.exe Token: SeSystemProfilePrivilege 2324 WMIC.exe Token: SeSystemtimePrivilege 2324 WMIC.exe Token: SeProfSingleProcessPrivilege 2324 WMIC.exe Token: SeIncBasePriorityPrivilege 2324 WMIC.exe Token: SeCreatePagefilePrivilege 2324 WMIC.exe Token: SeBackupPrivilege 2324 WMIC.exe Token: SeRestorePrivilege 2324 WMIC.exe Token: SeShutdownPrivilege 2324 WMIC.exe Token: SeDebugPrivilege 2324 WMIC.exe Token: SeSystemEnvironmentPrivilege 2324 WMIC.exe Token: SeRemoteShutdownPrivilege 2324 WMIC.exe Token: SeUndockPrivilege 2324 WMIC.exe Token: SeManageVolumePrivilege 2324 WMIC.exe Token: 33 2324 WMIC.exe Token: 34 2324 WMIC.exe Token: 35 2324 WMIC.exe Token: 36 2324 WMIC.exe Token: SeIncreaseQuotaPrivilege 2324 WMIC.exe Token: SeSecurityPrivilege 2324 WMIC.exe Token: SeTakeOwnershipPrivilege 2324 WMIC.exe Token: SeLoadDriverPrivilege 2324 WMIC.exe Token: SeSystemProfilePrivilege 2324 WMIC.exe Token: SeSystemtimePrivilege 2324 WMIC.exe Token: SeProfSingleProcessPrivilege 2324 WMIC.exe Token: SeIncBasePriorityPrivilege 2324 WMIC.exe Token: SeCreatePagefilePrivilege 2324 WMIC.exe Token: SeBackupPrivilege 2324 WMIC.exe Token: SeRestorePrivilege 2324 WMIC.exe Token: SeShutdownPrivilege 2324 WMIC.exe Token: SeDebugPrivilege 2324 WMIC.exe Token: SeSystemEnvironmentPrivilege 2324 WMIC.exe Token: SeRemoteShutdownPrivilege 2324 WMIC.exe Token: SeUndockPrivilege 2324 WMIC.exe Token: SeManageVolumePrivilege 2324 WMIC.exe Token: 33 2324 WMIC.exe Token: 34 2324 WMIC.exe Token: 35 2324 WMIC.exe Token: 36 2324 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
sample.exesvchost.exesample.execmd.exesample.exedescription pid process target process PID 3984 wrote to memory of 2124 3984 sample.exe sample.exe PID 3984 wrote to memory of 2124 3984 sample.exe sample.exe PID 3984 wrote to memory of 2124 3984 sample.exe sample.exe PID 3984 wrote to memory of 2124 3984 sample.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 3220 wrote to memory of 1464 3220 svchost.exe sample.exe PID 2124 wrote to memory of 3944 2124 sample.exe cmd.exe PID 2124 wrote to memory of 3944 2124 sample.exe cmd.exe PID 3944 wrote to memory of 2668 3944 cmd.exe vssadmin.exe PID 3944 wrote to memory of 2668 3944 cmd.exe vssadmin.exe PID 3944 wrote to memory of 2044 3944 cmd.exe wbadmin.exe PID 3944 wrote to memory of 2044 3944 cmd.exe wbadmin.exe PID 3944 wrote to memory of 2324 3944 cmd.exe WMIC.exe PID 3944 wrote to memory of 2324 3944 cmd.exe WMIC.exe PID 1464 wrote to memory of 2756 1464 sample.exe sample.exe PID 1464 wrote to memory of 2756 1464 sample.exe sample.exe PID 1464 wrote to memory of 2756 1464 sample.exe sample.exe PID 1464 wrote to memory of 2756 1464 sample.exe sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe" n21243⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe" n21244⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\845939759MD5
39fde6d7b2a5dd3b55c2504bf80eaa1f
SHA19bf70a8887e5f405026c0a64ac1465b5d66dbaf0
SHA2567378922ccafe6f374522963c64d851167a7e810a135f0d5d374e5b3583055154
SHA51205978ffd5e1879e5cdfb5a93661a617a6ff74f7873249520699e3a68f2a813e38865b32cdd61f8a435165b739b95d63e7502b4b223e77e97a40a62a50ec3d270
-
C:\Users\Admin\AppData\Roaming\845939759MD5
8649d283e3e0fa8b8a9d73d183748e39
SHA1a7599f04ba10e28615ec8339f771de9ad78a28d3
SHA2569928050eb468d6a1f573d7962202b4be5ac1216ab122d9841e257135ecbc9ab9
SHA5128c708175d59adbf639f0fc6ebe060bc2b4740dc5234a1b3d120322638065da8bc18a56c2e82a0c42fd647a166e97fd32eca3a72ba4a8a07aa833dcaf89b712ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkMD5
6636e62e4d667e4e332dbb853bb39140
SHA1fb018a1d4fe29ddd3e5836bc0e5444d1199ab03a
SHA2568f4f851df4d21ef3052f996a0e13b6af07522211bb2bd6b3809ea2ea75af193b
SHA5129126296b97fc2cf3fd1b7293cda02b4c273dccc73952208525e064677730dce874b5aa9c19370be1e68476b80ebbe05236af82bc8a267a869b327678366ec3f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkMD5
4a091c24fed1ef1912da19556c5c2f65
SHA16d45621047ece04c1b45e5d4d0da76d5d5da50a0
SHA256679c5dc0b3829d777ed2c0fa495e983acd2cd12e2d373a34f318f8d8e6be6656
SHA512393a1ac61d325a310efa1d0385f1f2a5009d50166804d758cccc114118246b76af8571d4b4e299f4c5bd1977e832c27c4cd0d7644dbd7ef79e2cb87967feca6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
26c488f964c9d9a2a3321c1e52fe6897
SHA1d2cf4f6a7cb7f0d77631c6d663f96d03f66dda35
SHA25658d43e893392c04d75b1669a9aaffe1ea2ebc77a92fac98e61937854c2150159
SHA512667c0e43c0d8c2492638f54c09b6695983fa79b626384ee53f3d6d69c2c97c308d0c86d8d1de2739e09a92f20807b4a3f393219be9d98ab4a634358290760ee6
-
\Users\Admin\AppData\Local\Temp\nsj503A.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nsn1C58.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/1464-117-0x0000000000000000-mapping.dmp
-
memory/2044-123-0x0000000000000000-mapping.dmp
-
memory/2124-116-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2124-115-0x0000000000405680-mapping.dmp
-
memory/2324-125-0x0000000000000000-mapping.dmp
-
memory/2668-122-0x0000000000000000-mapping.dmp
-
memory/2756-126-0x0000000000405680-mapping.dmp
-
memory/3944-118-0x0000000000000000-mapping.dmp