Resubmissions
19-10-2021 14:03
211019-rcwpqsfhg4 1019-10-2021 13:56
211019-q8vxmsfhf4 1015-10-2021 16:42
211015-t719tabbe4 10Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Resource
win10-en-20211014
General
-
Target
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
-
Size
42KB
-
MD5
d29a5ac669fd239a2df8a7ba6bad4b75
-
SHA1
b18e00d53474c95fa0720b1720557e4d9a09f161
-
SHA256
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512
-
SHA512
c1e104375d445d7431fd68d0cb6731e459aa0be5b8495bcdca147d0052aa18e4a1f0817d54e2b72489cc9668772c36d6243f716cf542d48a3514f4fb3060a7b6
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\817767331\readme-warning.txt
makop
makopransom@outlook.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1700 wbadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POST98SP.POC 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234266.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18182_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239973.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.DAT 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00330_.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_it.properties 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 760 vssadmin.exe -
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exepid process 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1660 vssvc.exe Token: SeRestorePrivilege 1660 vssvc.exe Token: SeAuditPrivilege 1660 vssvc.exe Token: SeBackupPrivilege 1628 wbengine.exe Token: SeRestorePrivilege 1628 wbengine.exe Token: SeSecurityPrivilege 1628 wbengine.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.execmd.exedescription pid process target process PID 2012 wrote to memory of 332 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 2012 wrote to memory of 332 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 2012 wrote to memory of 332 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 2012 wrote to memory of 332 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 332 wrote to memory of 760 332 cmd.exe vssadmin.exe PID 332 wrote to memory of 760 332 cmd.exe vssadmin.exe PID 332 wrote to memory of 760 332 cmd.exe vssadmin.exe PID 332 wrote to memory of 1700 332 cmd.exe wbadmin.exe PID 332 wrote to memory of 1700 332 cmd.exe wbadmin.exe PID 332 wrote to memory of 1700 332 cmd.exe wbadmin.exe PID 332 wrote to memory of 540 332 cmd.exe WMIC.exe PID 332 wrote to memory of 540 332 cmd.exe WMIC.exe PID 332 wrote to memory of 540 332 cmd.exe WMIC.exe PID 2012 wrote to memory of 584 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 2012 wrote to memory of 584 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 2012 wrote to memory of 584 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 2012 wrote to memory of 584 2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe" n20122⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\readme-warning.txtMD5
fedc6e4006fbfceb0967ddf88f1ad348
SHA14d94294e5c2918e410502ebd6cf71e0b4dbdd6e6
SHA256f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a
SHA512640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a
-
memory/332-54-0x0000000000000000-mapping.dmp
-
memory/540-59-0x0000000000000000-mapping.dmp
-
memory/584-60-0x0000000000000000-mapping.dmp
-
memory/760-56-0x0000000000000000-mapping.dmp
-
memory/1700-57-0x0000000000000000-mapping.dmp
-
memory/1700-58-0x000007FEFB691000-0x000007FEFB693000-memory.dmpFilesize
8KB
-
memory/2012-53-0x0000000075FA1000-0x0000000075FA3000-memory.dmpFilesize
8KB