buran | a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16

Analysis

max time kernel
152s
max time network
155s
platform
windows10_x64
resource
win10v20210408
submitted
31/08/2021, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
Size

271KB
MD5

739ea3e3f504a12e8faaed996d14dd9e
SHA1

32e935835d7d4956f578fddbb44e58fdd2cd3599
SHA256

a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16
SHA512

842794850bfeff1a5592810fc45e1cb1f9097bc5dc514149ec5adb771a9639aab41a521f36c64b39ea4393419751be7989bcfee39938feec19cc9f29620e9ce9

Score

10^/10

buran smokeloader backdoor discovery evasion persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 935-356-859 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 4 IoCs

pid	Process
4044	FA54.exe
2372	FE5C.exe
3028	smss.exe
792	smss.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FE5C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FE5C.exe

Deletes itself 1 IoCs

pid	Process
3092	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0005000000000681-122.dat	themida
behavioral1/files/0x0005000000000681-124.dat	themida
behavioral1/memory/2372-132-0x0000000000FC0000-0x0000000000FC1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	FA54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	FA54.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FE5C.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\I:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2372	FE5C.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 640 set thread context of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\FillnSign_visual.svg	smss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxBlockMap.xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-200.png	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\s_empty_folder_state.svg.payfast290.935-356-859	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	smss.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css.payfast290.935-356-859	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css.payfast290.935-356-859	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\NewScene.scale-100.png	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\FullScreen\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\resources.pri	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\LargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.payfast290.935-356-859	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLashEye.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gi_60x42.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\Dismiss.scale-80.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg.payfast290.935-356-859	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.INF	smss.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\root\vfs\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.payfast290.935-356-859	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_TR-TR.respack	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo.payfast290.935-356-859	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxSignature.p7x	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-200.png	smss.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\WideTile.scale-200.png	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2664	vssadmin.exe
3712	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FA54.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FA54.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3620	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
3620	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
3620	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeDebugPrivilege	4044	FA54.exe
Token: SeDebugPrivilege	4044	FA54.exe
Token: SeDebugPrivilege	2372	FE5C.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeIncreaseQuotaPrivilege	3972	WMIC.exe
Token: SeSecurityPrivilege	3972	WMIC.exe
Token: SeTakeOwnershipPrivilege	3972	WMIC.exe
Token: SeLoadDriverPrivilege	3972	WMIC.exe
Token: SeSystemProfilePrivilege	3972	WMIC.exe
Token: SeSystemtimePrivilege	3972	WMIC.exe
Token: SeProfSingleProcessPrivilege	3972	WMIC.exe
Token: SeIncBasePriorityPrivilege	3972	WMIC.exe
Token: SeCreatePagefilePrivilege	3972	WMIC.exe
Token: SeBackupPrivilege	3972	WMIC.exe
Token: SeRestorePrivilege	3972	WMIC.exe
Token: SeShutdownPrivilege	3972	WMIC.exe
Token: SeDebugPrivilege	3972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3972	WMIC.exe
Token: SeRemoteShutdownPrivilege	3972	WMIC.exe
Token: SeUndockPrivilege	3972	WMIC.exe
Token: SeManageVolumePrivilege	3972	WMIC.exe
Token: 33	3972	WMIC.exe
Token: 34	3972	WMIC.exe
Token: 35	3972	WMIC.exe
Token: 36	3972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3720	WMIC.exe
Token: SeSecurityPrivilege	3720	WMIC.exe
Token: SeTakeOwnershipPrivilege	3720	WMIC.exe
Token: SeLoadDriverPrivilege	3720	WMIC.exe
Token: SeSystemProfilePrivilege	3720	WMIC.exe
Token: SeSystemtimePrivilege	3720	WMIC.exe
Token: SeProfSingleProcessPrivilege	3720	WMIC.exe
Token: SeIncBasePriorityPrivilege	3720	WMIC.exe
Token: SeCreatePagefilePrivilege	3720	WMIC.exe
Token: SeBackupPrivilege	3720	WMIC.exe
Token: SeRestorePrivilege	3720	WMIC.exe
Token: SeShutdownPrivilege	3720	WMIC.exe
Token: SeDebugPrivilege	3720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3720	WMIC.exe
Token: SeRemoteShutdownPrivilege	3720	WMIC.exe
Token: SeUndockPrivilege	3720	WMIC.exe
Token: SeManageVolumePrivilege	3720	WMIC.exe
Token: 33	3720	WMIC.exe
Token: 34	3720	WMIC.exe
Token: 35	3720	WMIC.exe
Token: 36	3720	WMIC.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3092	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74
PID 640 wrote to memory of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74
PID 640 wrote to memory of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74
PID 640 wrote to memory of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74
PID 640 wrote to memory of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74
PID 640 wrote to memory of 3620	640	a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe	74
PID 3092 wrote to memory of 4044	3092	Process not Found	78
PID 3092 wrote to memory of 4044	3092	Process not Found	78
PID 3092 wrote to memory of 4044	3092	Process not Found	78
PID 3092 wrote to memory of 2372	3092	Process not Found	79
PID 3092 wrote to memory of 2372	3092	Process not Found	79
PID 3092 wrote to memory of 2372	3092	Process not Found	79
PID 3092 wrote to memory of 572	3092	Process not Found	81
PID 3092 wrote to memory of 572	3092	Process not Found	81
PID 3092 wrote to memory of 572	3092	Process not Found	81
PID 3092 wrote to memory of 572	3092	Process not Found	81
PID 3092 wrote to memory of 2156	3092	Process not Found	82
PID 3092 wrote to memory of 2156	3092	Process not Found	82
PID 3092 wrote to memory of 2156	3092	Process not Found	82
PID 3092 wrote to memory of 2112	3092	Process not Found	83
PID 3092 wrote to memory of 2112	3092	Process not Found	83
PID 3092 wrote to memory of 2112	3092	Process not Found	83
PID 3092 wrote to memory of 2112	3092	Process not Found	83
PID 3092 wrote to memory of 3988	3092	Process not Found	84
PID 3092 wrote to memory of 3988	3092	Process not Found	84
PID 3092 wrote to memory of 3988	3092	Process not Found	84
PID 4044 wrote to memory of 3028	4044	FA54.exe	85
PID 4044 wrote to memory of 3028	4044	FA54.exe	85
PID 4044 wrote to memory of 3028	4044	FA54.exe	85
PID 4044 wrote to memory of 1812	4044	FA54.exe	86
PID 4044 wrote to memory of 1812	4044	FA54.exe	86
PID 4044 wrote to memory of 1812	4044	FA54.exe	86
PID 4044 wrote to memory of 1812	4044	FA54.exe	86
PID 4044 wrote to memory of 1812	4044	FA54.exe	86
PID 4044 wrote to memory of 1812	4044	FA54.exe	86
PID 3092 wrote to memory of 2036	3092	Process not Found	87
PID 3092 wrote to memory of 2036	3092	Process not Found	87
PID 3092 wrote to memory of 2036	3092	Process not Found	87
PID 3092 wrote to memory of 2036	3092	Process not Found	87
PID 3092 wrote to memory of 412	3092	Process not Found	88
PID 3092 wrote to memory of 412	3092	Process not Found	88
PID 3092 wrote to memory of 412	3092	Process not Found	88
PID 3092 wrote to memory of 2420	3092	Process not Found	89
PID 3092 wrote to memory of 2420	3092	Process not Found	89
PID 3092 wrote to memory of 2420	3092	Process not Found	89
PID 3092 wrote to memory of 2420	3092	Process not Found	89
PID 3092 wrote to memory of 3452	3092	Process not Found	90
PID 3092 wrote to memory of 3452	3092	Process not Found	90
PID 3092 wrote to memory of 3452	3092	Process not Found	90
PID 3092 wrote to memory of 1700	3092	Process not Found	91
PID 3092 wrote to memory of 1700	3092	Process not Found	91
PID 3092 wrote to memory of 1700	3092	Process not Found	91
PID 3092 wrote to memory of 1700	3092	Process not Found	91
PID 3028 wrote to memory of 2148	3028	smss.exe	92
PID 3028 wrote to memory of 2148	3028	smss.exe	92
PID 3028 wrote to memory of 2148	3028	smss.exe	92
PID 3028 wrote to memory of 864	3028	smss.exe	93
PID 3028 wrote to memory of 864	3028	smss.exe	93
PID 3028 wrote to memory of 864	3028	smss.exe	93
PID 3028 wrote to memory of 1128	3028	smss.exe	94
PID 3028 wrote to memory of 1128	3028	smss.exe	94
PID 3028 wrote to memory of 1128	3028	smss.exe	94
PID 3028 wrote to memory of 572	3028	smss.exe	97
PID 3028 wrote to memory of 572	3028	smss.exe	97

C:\Users\Admin\AppData\Local\Temp\a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
"C:\Users\Admin\AppData\Local\Temp\a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe
  "C:\Users\Admin\AppData\Local\Temp\a92618c221f1a23c122054103b136f6dab994bd7eeb78feb90b5fc627687ce16.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3620

C:\Users\Admin\AppData\Local\Temp\FA54.exe
C:\Users\Admin\AppData\Local\Temp\FA54.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:792
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1812

C:\Users\Admin\AppData\Local\Temp\FE5C.exe
C:\Users\Admin\AppData\Local\Temp\FE5C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:572

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2420

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3452

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-164-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/412-163-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/572-128-0x0000000003220000-0x000000000328B000-memory.dmp

Filesize
428KB

Download
memory/572-127-0x0000000003290000-0x0000000003304000-memory.dmp

Filesize
464KB

Download
memory/640-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/1700-173-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/1700-172-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/1812-159-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2036-161-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2036-160-0x00000000003D0000-0x00000000003D5000-memory.dmp

Filesize
20KB

Download
memory/2112-138-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/2112-137-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/2156-131-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/2156-130-0x0000000000EC0000-0x0000000000EC7000-memory.dmp

Filesize
28KB

Download
memory/2372-136-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2372-139-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2372-134-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/2372-132-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2372-140-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2372-184-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/2372-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2372-147-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2372-179-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2372-178-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/2372-177-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2372-176-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/2372-142-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2372-175-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/2372-174-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/2420-166-0x0000000000810000-0x0000000000814000-memory.dmp

Filesize
16KB

Download
memory/2420-167-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/3092-117-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/3452-169-0x0000000000B90000-0x0000000000B95000-memory.dmp

Filesize
20KB

Download
memory/3452-170-0x0000000000B80000-0x0000000000B89000-memory.dmp

Filesize
36KB

Download
memory/3620-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3988-144-0x0000000000BD0000-0x0000000000BDF000-memory.dmp

Filesize
60KB

Download
memory/3988-143-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download