Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
31-08-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe
-
Size
299KB
-
MD5
532314c89cc0f6b55b6ee775ae894fc5
-
SHA1
bcb196361a23efca52af139ca0a579ca4be13478
-
SHA256
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91
-
SHA512
031d48471268163391520a8304ba26ba98a2494305a3cc828fb0f57f22fea432b2747d34cda907a52695f20e963038fdb74406342911e124c9423dfb0a053b63
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 500$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: 101-1DC-526
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
rc4.i32
rc4.i32
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
C2F8.exesmss.exesmss.exepid Process 1376 C2F8.exe 580 smss.exe 1308 smss.exe -
Deletes itself 1 IoCs
Processes:
pid Process 3016 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
C2F8.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run C2F8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" C2F8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smss.exedescription ioc Process File opened (read-only) \??\U: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\F: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Q: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 geoiptool.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exedescription pid Process procid_target PID 4060 set thread context of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 -
Drops file in Program Files directory 64 IoCs
Processes:
smss.exedescription ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.payfast290.101-1DC-526 smss.exe File created C:\Program Files\Microsoft Office 15\ClientX64\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-400.png smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\tmi.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sleepy.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_40x40x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-400.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\hr_16x11.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms smss.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_20x20x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms smss.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mn_60x42.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\ui-strings.js smss.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\facepalm.png smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gu_16x11.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf smss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml smss.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png smss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.payfast290.101-1DC-526 smss.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_12d.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7296_48x48x32.png smss.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties.payfast290.101-1DC-526 smss.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13c.png smss.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppCS\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\createpdf.svg.payfast290.101-1DC-526 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.payfast290.101-1DC-526 smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exedescription ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 1052 vssadmin.exe 2068 vssadmin.exe -
Processes:
C2F8.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C2F8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C2F8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exepid Process 2344 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 2344 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 3016 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exepid Process 2344 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
C2F8.exevssvc.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 1376 C2F8.exe Token: SeDebugPrivilege 1376 C2F8.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeBackupPrivilege 3336 vssvc.exe Token: SeRestorePrivilege 3336 vssvc.exe Token: SeAuditPrivilege 3336 vssvc.exe Token: SeIncreaseQuotaPrivilege 3024 WMIC.exe Token: SeSecurityPrivilege 3024 WMIC.exe Token: SeTakeOwnershipPrivilege 3024 WMIC.exe Token: SeLoadDriverPrivilege 3024 WMIC.exe Token: SeSystemProfilePrivilege 3024 WMIC.exe Token: SeSystemtimePrivilege 3024 WMIC.exe Token: SeProfSingleProcessPrivilege 3024 WMIC.exe Token: SeIncBasePriorityPrivilege 3024 WMIC.exe Token: SeCreatePagefilePrivilege 3024 WMIC.exe Token: SeBackupPrivilege 3024 WMIC.exe Token: SeRestorePrivilege 3024 WMIC.exe Token: SeShutdownPrivilege 3024 WMIC.exe Token: SeDebugPrivilege 3024 WMIC.exe Token: SeSystemEnvironmentPrivilege 3024 WMIC.exe Token: SeRemoteShutdownPrivilege 3024 WMIC.exe Token: SeUndockPrivilege 3024 WMIC.exe Token: SeManageVolumePrivilege 3024 WMIC.exe Token: 33 3024 WMIC.exe Token: 34 3024 WMIC.exe Token: 35 3024 WMIC.exe Token: 36 3024 WMIC.exe Token: SeIncreaseQuotaPrivilege 1104 WMIC.exe Token: SeSecurityPrivilege 1104 WMIC.exe Token: SeTakeOwnershipPrivilege 1104 WMIC.exe Token: SeLoadDriverPrivilege 1104 WMIC.exe Token: SeSystemProfilePrivilege 1104 WMIC.exe Token: SeSystemtimePrivilege 1104 WMIC.exe Token: SeProfSingleProcessPrivilege 1104 WMIC.exe Token: SeIncBasePriorityPrivilege 1104 WMIC.exe Token: SeCreatePagefilePrivilege 1104 WMIC.exe Token: SeBackupPrivilege 1104 WMIC.exe Token: SeRestorePrivilege 1104 WMIC.exe Token: SeShutdownPrivilege 1104 WMIC.exe Token: SeDebugPrivilege 1104 WMIC.exe Token: SeSystemEnvironmentPrivilege 1104 WMIC.exe Token: SeRemoteShutdownPrivilege 1104 WMIC.exe Token: SeUndockPrivilege 1104 WMIC.exe Token: SeManageVolumePrivilege 1104 WMIC.exe Token: 33 1104 WMIC.exe Token: 34 1104 WMIC.exe Token: 35 1104 WMIC.exe Token: 36 1104 WMIC.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeIncreaseQuotaPrivilege 3024 WMIC.exe Token: SeIncreaseQuotaPrivilege 1104 WMIC.exe Token: SeSecurityPrivilege 3024 WMIC.exe Token: SeSecurityPrivilege 1104 WMIC.exe Token: SeTakeOwnershipPrivilege 3024 WMIC.exe Token: SeTakeOwnershipPrivilege 1104 WMIC.exe Token: SeLoadDriverPrivilege 3024 WMIC.exe Token: SeLoadDriverPrivilege 1104 WMIC.exe Token: SeSystemProfilePrivilege 3024 WMIC.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3016 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exeC2F8.exesmss.exedescription pid Process procid_target PID 4060 wrote to memory of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 PID 4060 wrote to memory of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 PID 4060 wrote to memory of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 PID 4060 wrote to memory of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 PID 4060 wrote to memory of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 PID 4060 wrote to memory of 2344 4060 718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe 75 PID 3016 wrote to memory of 1376 3016 79 PID 3016 wrote to memory of 1376 3016 79 PID 3016 wrote to memory of 1376 3016 79 PID 3016 wrote to memory of 3772 3016 80 PID 3016 wrote to memory of 3772 3016 80 PID 3016 wrote to memory of 3772 3016 80 PID 3016 wrote to memory of 3772 3016 80 PID 3016 wrote to memory of 3636 3016 81 PID 3016 wrote to memory of 3636 3016 81 PID 3016 wrote to memory of 3636 3016 81 PID 3016 wrote to memory of 3880 3016 82 PID 3016 wrote to memory of 3880 3016 82 PID 3016 wrote to memory of 3880 3016 82 PID 3016 wrote to memory of 3880 3016 82 PID 3016 wrote to memory of 3640 3016 83 PID 3016 wrote to memory of 3640 3016 83 PID 3016 wrote to memory of 3640 3016 83 PID 1376 wrote to memory of 580 1376 C2F8.exe 84 PID 1376 wrote to memory of 580 1376 C2F8.exe 84 PID 1376 wrote to memory of 580 1376 C2F8.exe 84 PID 1376 wrote to memory of 1424 1376 C2F8.exe 85 PID 1376 wrote to memory of 1424 1376 C2F8.exe 85 PID 1376 wrote to memory of 1424 1376 C2F8.exe 85 PID 1376 wrote to memory of 1424 1376 C2F8.exe 85 PID 1376 wrote to memory of 1424 1376 C2F8.exe 85 PID 1376 wrote to memory of 1424 1376 C2F8.exe 85 PID 3016 wrote to memory of 2516 3016 86 PID 3016 wrote to memory of 2516 3016 86 PID 3016 wrote to memory of 2516 3016 86 PID 3016 wrote to memory of 2516 3016 86 PID 3016 wrote to memory of 2432 3016 87 PID 3016 wrote to memory of 2432 3016 87 PID 3016 wrote to memory of 2432 3016 87 PID 3016 wrote to memory of 3660 3016 88 PID 3016 wrote to memory of 3660 3016 88 PID 3016 wrote to memory of 3660 3016 88 PID 3016 wrote to memory of 3660 3016 88 PID 3016 wrote to memory of 3184 3016 89 PID 3016 wrote to memory of 3184 3016 89 PID 3016 wrote to memory of 3184 3016 89 PID 3016 wrote to memory of 208 3016 90 PID 3016 wrote to memory of 208 3016 90 PID 3016 wrote to memory of 208 3016 90 PID 3016 wrote to memory of 208 3016 90 PID 580 wrote to memory of 3756 580 smss.exe 91 PID 580 wrote to memory of 3756 580 smss.exe 91 PID 580 wrote to memory of 3756 580 smss.exe 91 PID 580 wrote to memory of 2260 580 smss.exe 92 PID 580 wrote to memory of 2260 580 smss.exe 92 PID 580 wrote to memory of 2260 580 smss.exe 92 PID 580 wrote to memory of 2224 580 smss.exe 93 PID 580 wrote to memory of 2224 580 smss.exe 93 PID 580 wrote to memory of 2224 580 smss.exe 93 PID 580 wrote to memory of 2852 580 smss.exe 94 PID 580 wrote to memory of 2852 580 smss.exe 94 PID 580 wrote to memory of 2852 580 smss.exe 94 PID 580 wrote to memory of 2192 580 smss.exe 95 PID 580 wrote to memory of 2192 580 smss.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe"C:\Users\Admin\AppData\Local\Temp\718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe"C:\Users\Admin\AppData\Local\Temp\718a32e1233d20058b882251b0265872880e64e5be9ba5c3ff42dfc430f12c91.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\C2F8.exeC:\Users\Admin\AppData\Local\Temp\C2F8.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:3756
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:2260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:2852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:2192
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1052
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1308
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵PID:3816
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2068
-
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵PID:1424
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3772
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3636
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3880
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3640
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2516
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2432
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3660
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3184
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:208
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5bc382383b6c90d20dba3f58aa0f40ade
SHA1b626e4d049d88702236910b302c955eecc8c7d5f
SHA256bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117
SHA512651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5a2981517afbb3ebe48d2168b07274f47
SHA178e0fa382ca97436ec5c43209a2e391b41d356ab
SHA256f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae
SHA5124e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD50465994d32988b4ff5811340c4905188
SHA17b4043cbd9509bc78b08863ad22b720632686785
SHA256b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb
SHA51204654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5c1befcf455f369cabc3702ba9b56c572
SHA14d92ed6e682804187243e2612c43b4a2de173a12
SHA256aa1cc8531593b3f6321ff65d8700558075a28b450ee624e516ede23f520f5e1b
SHA5128e26594fd8e46bdf0390ebad5a5c60ec0dbc54148d6bd05e5b0cfae63b95ab4882f3b48965b7770bf21e08d37f82089ec2211fb058780fd0676ddd942505752c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD51029e987da4603a8591a08ed00adbd02
SHA187c60bf7e87f37cff18d8a2406265c64d6738202
SHA256dab91dfe569211c4fb512cfc940984d3c127a1999e3831a2290f0eebd9c8751c
SHA5120110d165ad2a2179a96756478a35cc49b486afc5edf4ac2f6b7138b49ead7e446de0852188fbc49055f0d05e535c20a2c67b20e8a809679866ed1f9b38d97aad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5a75a8ccffe67a6e3996fd22092b88d65
SHA10268299fba45bc9c30b9e363b7a25f51ae47ba4b
SHA256c5458d63d951c4b73c8c3bdee76f3be3f4eda52af683be5c42e3b674666829de
SHA5125ed231dfbd8dd0b6d5d12d2c07e88d4548ca52ace3fb2f041baa4d6e73e2a776e2f0ea3d9cff87ca00016994765ad3ebbe6e611f75b061c8d6e681d994fef538
-
MD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
MD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
MD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
MD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
MD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
MD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
MD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b