Resubmissions
19-10-2021 14:03
211019-rcwpqsfhg4 1019-10-2021 13:56
211019-q8vxmsfhf4 1015-10-2021 16:42
211015-t719tabbe4 10Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Resource
win10-en-20210920
General
-
Target
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
-
Size
42KB
-
MD5
d29a5ac669fd239a2df8a7ba6bad4b75
-
SHA1
b18e00d53474c95fa0720b1720557e4d9a09f161
-
SHA256
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512
-
SHA512
c1e104375d445d7431fd68d0cb6731e459aa0be5b8495bcdca147d0052aa18e4a1f0817d54e2b72489cc9668772c36d6243f716cf542d48a3514f4fb3060a7b6
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\675896595\readme-warning.txt
makop
makopransom@outlook.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 976 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MountNew.tiff 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.ELM 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Maputo 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeLetter.Dotx 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151067.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Singapore 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105504.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1136 vssadmin.exe -
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exepid process 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1164 vssvc.exe Token: SeRestorePrivilege 1164 vssvc.exe Token: SeAuditPrivilege 1164 vssvc.exe Token: SeBackupPrivilege 1744 wbengine.exe Token: SeRestorePrivilege 1744 wbengine.exe Token: SeSecurityPrivilege 1744 wbengine.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exepid process 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.execmd.exedescription pid process target process PID 1836 wrote to memory of 1572 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 1836 wrote to memory of 1572 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 1836 wrote to memory of 1572 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 1836 wrote to memory of 1572 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 1572 wrote to memory of 1136 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 1136 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 1136 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 976 1572 cmd.exe wbadmin.exe PID 1572 wrote to memory of 976 1572 cmd.exe wbadmin.exe PID 1572 wrote to memory of 976 1572 cmd.exe wbadmin.exe PID 1572 wrote to memory of 1628 1572 cmd.exe WMIC.exe PID 1572 wrote to memory of 1628 1572 cmd.exe WMIC.exe PID 1572 wrote to memory of 1628 1572 cmd.exe WMIC.exe PID 1836 wrote to memory of 1508 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 1836 wrote to memory of 1508 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 1836 wrote to memory of 1508 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 1836 wrote to memory of 1508 1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\readme-warning.txtMD5
fedc6e4006fbfceb0967ddf88f1ad348
SHA14d94294e5c2918e410502ebd6cf71e0b4dbdd6e6
SHA256f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a
SHA512640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a
-
memory/976-56-0x0000000000000000-mapping.dmp
-
memory/976-57-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/1136-55-0x0000000000000000-mapping.dmp
-
memory/1508-59-0x0000000000000000-mapping.dmp
-
memory/1572-54-0x0000000000000000-mapping.dmp
-
memory/1628-58-0x0000000000000000-mapping.dmp
-
memory/1836-53-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB