Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 09:39
Static task
static1
Behavioral task
behavioral1
Sample
makop_nowin.exe_.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
makop_nowin.exe_.exe
Resource
win10-en-20211014
General
-
Target
makop_nowin.exe_.exe
-
Size
34KB
-
MD5
5bcf1a6a65d8d0d2ad1c2a78935322b5
-
SHA1
c5af15f8170e3840ba756397cb1548fa9489fae9
-
SHA256
3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e
-
SHA512
f21e3bc29b60d3ed248dd048774823d013beb43f2fcf7e560774f1987dc07ff42de2fb68a8dd3bad0653a8587cca9b9f18e0671342c81d8c5698b97a135eb639
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\074127051\readme-warning.txt
makop
coleman.dec@tutanota.com
lauracc@msgsafe.io
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1432 wbadmin.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
makop_nowin.exe_.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterRead.tiff makop_nowin.exe_.exe File opened for modification C:\Users\Admin\Pictures\InitializeStep.tiff makop_nowin.exe_.exe File opened for modification C:\Users\Admin\Pictures\TraceRestore.tiff makop_nowin.exe_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
makop_nowin.exe_.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg makop_nowin.exe_.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\PREVIEW.GIF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar makop_nowin.exe_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belem makop_nowin.exe_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js makop_nowin.exe_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Doc.css makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHDHM.POC makop_nowin.exe_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\readme-warning.txt makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\Sidebar.exe.mui makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Christmas makop_nowin.exe_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\readme-warning.txt makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui makop_nowin.exe_.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide makop_nowin.exe_.exe File created C:\Program Files\Microsoft Games\Hearts\readme-warning.txt makop_nowin.exe_.exe File created C:\Program Files\Microsoft Games\Mahjong\en-US\readme-warning.txt makop_nowin.exe_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml makop_nowin.exe_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi makop_nowin.exe_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kiev makop_nowin.exe_.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\readme-warning.txt makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt makop_nowin.exe_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\readme-warning.txt makop_nowin.exe_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF makop_nowin.exe_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png makop_nowin.exe_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png makop_nowin.exe_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png makop_nowin.exe_.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 708 vssadmin.exe -
Processes:
makop_nowin.exe_.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 makop_nowin.exe_.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e makop_nowin.exe_.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e makop_nowin.exe_.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
makop_nowin.exe_.exepid process 2040 makop_nowin.exe_.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe Token: SeBackupPrivilege 1004 wbengine.exe Token: SeRestorePrivilege 1004 wbengine.exe Token: SeSecurityPrivilege 1004 wbengine.exe Token: SeIncreaseQuotaPrivilege 1872 WMIC.exe Token: SeSecurityPrivilege 1872 WMIC.exe Token: SeTakeOwnershipPrivilege 1872 WMIC.exe Token: SeLoadDriverPrivilege 1872 WMIC.exe Token: SeSystemProfilePrivilege 1872 WMIC.exe Token: SeSystemtimePrivilege 1872 WMIC.exe Token: SeProfSingleProcessPrivilege 1872 WMIC.exe Token: SeIncBasePriorityPrivilege 1872 WMIC.exe Token: SeCreatePagefilePrivilege 1872 WMIC.exe Token: SeBackupPrivilege 1872 WMIC.exe Token: SeRestorePrivilege 1872 WMIC.exe Token: SeShutdownPrivilege 1872 WMIC.exe Token: SeDebugPrivilege 1872 WMIC.exe Token: SeSystemEnvironmentPrivilege 1872 WMIC.exe Token: SeRemoteShutdownPrivilege 1872 WMIC.exe Token: SeUndockPrivilege 1872 WMIC.exe Token: SeManageVolumePrivilege 1872 WMIC.exe Token: 33 1872 WMIC.exe Token: 34 1872 WMIC.exe Token: 35 1872 WMIC.exe Token: SeIncreaseQuotaPrivilege 1872 WMIC.exe Token: SeSecurityPrivilege 1872 WMIC.exe Token: SeTakeOwnershipPrivilege 1872 WMIC.exe Token: SeLoadDriverPrivilege 1872 WMIC.exe Token: SeSystemProfilePrivilege 1872 WMIC.exe Token: SeSystemtimePrivilege 1872 WMIC.exe Token: SeProfSingleProcessPrivilege 1872 WMIC.exe Token: SeIncBasePriorityPrivilege 1872 WMIC.exe Token: SeCreatePagefilePrivilege 1872 WMIC.exe Token: SeBackupPrivilege 1872 WMIC.exe Token: SeRestorePrivilege 1872 WMIC.exe Token: SeShutdownPrivilege 1872 WMIC.exe Token: SeDebugPrivilege 1872 WMIC.exe Token: SeSystemEnvironmentPrivilege 1872 WMIC.exe Token: SeRemoteShutdownPrivilege 1872 WMIC.exe Token: SeUndockPrivilege 1872 WMIC.exe Token: SeManageVolumePrivilege 1872 WMIC.exe Token: 33 1872 WMIC.exe Token: 34 1872 WMIC.exe Token: 35 1872 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
makop_nowin.exe_.execmd.exedescription pid process target process PID 2040 wrote to memory of 524 2040 makop_nowin.exe_.exe cmd.exe PID 2040 wrote to memory of 524 2040 makop_nowin.exe_.exe cmd.exe PID 2040 wrote to memory of 524 2040 makop_nowin.exe_.exe cmd.exe PID 2040 wrote to memory of 524 2040 makop_nowin.exe_.exe cmd.exe PID 524 wrote to memory of 708 524 cmd.exe vssadmin.exe PID 524 wrote to memory of 708 524 cmd.exe vssadmin.exe PID 524 wrote to memory of 708 524 cmd.exe vssadmin.exe PID 524 wrote to memory of 1432 524 cmd.exe wbadmin.exe PID 524 wrote to memory of 1432 524 cmd.exe wbadmin.exe PID 524 wrote to memory of 1432 524 cmd.exe wbadmin.exe PID 524 wrote to memory of 1872 524 cmd.exe WMIC.exe PID 524 wrote to memory of 1872 524 cmd.exe WMIC.exe PID 524 wrote to memory of 1872 524 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\makop_nowin.exe_.exe"C:\Users\Admin\AppData\Local\Temp\makop_nowin.exe_.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\makop_nowin.exe_.exe"C:\Users\Admin\AppData\Local\Temp\makop_nowin.exe_.exe" n20402⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/524-55-0x0000000000000000-mapping.dmp
-
memory/708-57-0x0000000000000000-mapping.dmp
-
memory/1432-58-0x0000000000000000-mapping.dmp
-
memory/1432-59-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmpFilesize
8KB
-
memory/1872-60-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB