buran | 005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

Analysis

max time kernel
151s
max time network
131s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

214KB
MD5

c14d403c9e9d6b6054e09ceee047fbf1
SHA1

2155b8d3b977f32641314207bb24126741b71d13
SHA256

005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23
SHA512

f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 13E-3F9-0A5 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid	Process
492	csrss.exe
680	csrss.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1328	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	123.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	Process
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\Itsy_Bitsy_Spider_Unearned_small.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.kd8eby0.13E-3F9-0A5	csrss.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\contrast-white\DashboardDefaultThumbnail.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-200.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\cardback.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png	csrss.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\brokenheart.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_3.jpg	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-200.png	csrss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	csrss.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Microsoft.CPub.SkuInterop.winmd	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Wave.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo1.targetsize-24.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\SmallTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-24.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.boot.tree.dat.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.kd8eby0.13E-3F9-0A5	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SplashScreen.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
940	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

123.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	123.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	123.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

123.exeWMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3684	123.exe
Token: SeDebugPrivilege	3684	123.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeBackupPrivilege	2216	vssvc.exe
Token: SeRestorePrivilege	2216	vssvc.exe
Token: SeAuditPrivilege	2216	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

123.execsrss.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 3684 wrote to memory of 492	3684	123.exe	69
PID 3684 wrote to memory of 492	3684	123.exe	69
PID 3684 wrote to memory of 492	3684	123.exe	69
PID 3684 wrote to memory of 1328	3684	123.exe	70
PID 3684 wrote to memory of 1328	3684	123.exe	70
PID 3684 wrote to memory of 1328	3684	123.exe	70
PID 3684 wrote to memory of 1328	3684	123.exe	70
PID 3684 wrote to memory of 1328	3684	123.exe	70
PID 3684 wrote to memory of 1328	3684	123.exe	70
PID 492 wrote to memory of 3924	492	csrss.exe	71
PID 492 wrote to memory of 3924	492	csrss.exe	71
PID 492 wrote to memory of 3924	492	csrss.exe	71
PID 492 wrote to memory of 2252	492	csrss.exe	72
PID 492 wrote to memory of 2252	492	csrss.exe	72
PID 492 wrote to memory of 2252	492	csrss.exe	72
PID 492 wrote to memory of 972	492	csrss.exe	82
PID 492 wrote to memory of 972	492	csrss.exe	82
PID 492 wrote to memory of 972	492	csrss.exe	82
PID 492 wrote to memory of 1676	492	csrss.exe	74
PID 492 wrote to memory of 1676	492	csrss.exe	74
PID 492 wrote to memory of 1676	492	csrss.exe	74
PID 492 wrote to memory of 1768	492	csrss.exe	75
PID 492 wrote to memory of 1768	492	csrss.exe	75
PID 492 wrote to memory of 1768	492	csrss.exe	75
PID 492 wrote to memory of 1992	492	csrss.exe	78
PID 492 wrote to memory of 1992	492	csrss.exe	78
PID 492 wrote to memory of 1992	492	csrss.exe	78
PID 492 wrote to memory of 680	492	csrss.exe	76
PID 492 wrote to memory of 680	492	csrss.exe	76
PID 492 wrote to memory of 680	492	csrss.exe	76
PID 3924 wrote to memory of 1508	3924	cmd.exe	85
PID 3924 wrote to memory of 1508	3924	cmd.exe	85
PID 3924 wrote to memory of 1508	3924	cmd.exe	85
PID 1992 wrote to memory of 1416	1992	cmd.exe	84
PID 1992 wrote to memory of 1416	1992	cmd.exe	84
PID 1992 wrote to memory of 1416	1992	cmd.exe	84
PID 1768 wrote to memory of 940	1768	cmd.exe	86
PID 1768 wrote to memory of 940	1768	cmd.exe	86
PID 1768 wrote to memory of 940	1768	cmd.exe	86
PID 1992 wrote to memory of 3208	1992	cmd.exe	89
PID 1992 wrote to memory of 3208	1992	cmd.exe	89
PID 1992 wrote to memory of 3208	1992	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:940
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1416
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:972
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
e3e3b0a46e8a480b91b2958f84492c21

SHA1
d53c4d0cae15edeb1364156cf5e7f1f78c8947a8

SHA256
8f80b0fc1c1c54daefb919e0ad44f52abfa9c4eb46da55fb8129b7f65209061f

SHA512
0549eddf61463dafce23e4d9808e64401d2ce9e61f65447287e98da73bcf9733fe9da2809b5887ac56dd4c313366496348510cb9d9576b264549148e4d0f39e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
eed44928e946f50ed36d37752d7de3ac

SHA1
a2ae1a3cad33819ebb8022ea9558769e5a441921

SHA256
7626e74ff44217673c53af18c53b5bc37ba411bb3f4db0daa1dc13f5db0edb5d

SHA512
ef7c6263485fa47204c5cea4d0c782def13b7b568653037eb1ef1d057aaaacd026fd40db3ab9ae90ea9473f69f5a3866fdf1dfb64ec03ab47a589ecd131c5918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
c026f0cefed02193d3bf7078c32c1f4b

SHA1
74357c790437e708d6152492f14f9a308a41c1ee

SHA256
a2293aa5e0cba820827fe6cbecf5d053a12c5cd625971c6470a5fc5079b95d8e

SHA512
f0e718e04dbd20c150659251786bd363f5aceb0a789f6e03b84e43405aebd3487e682a9fdfaf68c9f55e260a632fde553d0c85f317dd80960aec547632f6874a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
208fb6619151f609f9ce87a72ac8a0fb

SHA1
825acdf9cc6d1f40de41f5a0df6d2269e7c3d7ad

SHA256
4ed18c9f6f08b02da29bf6b0fbae3f13c44312dfb963e7e1492d6a02ea2dab00

SHA512
566970d6a24081b232d357c3fc25d248358673a9b96874ea34e70ecb00533ec4b7a8409c9da09cd1047e28b2805c0e29b899ce47b85fd665ad97f09894b1e360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
dac8c96041dbc73b6966d78079c5dbb5

SHA1
15785312a8e5103a8d1210eeba3cff0daabd1146

SHA256
20379319b47548a74b997a8398868bcfd9939a3db0744086b133001f98671126

SHA512
be0c733932704f61eefaaa80276640618f6c897a33c8b97fd93041504b0a5d6da155516cc3d93a4919f79a945ccb43f20fc9197075c8fea4b8a60c44483c5e0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
86dbed6814cdc7ce6d7d4830eeb0e628

SHA1
7ba5bad92f6f5f2ab410d5916a5d9e4a8a3d8732

SHA256
2e2b99f553093f40be0429cf4a8ef96ed666368a41316396e4ef6b07f5171da7

SHA512
b2a2b1eeb1da8c98419c7c8528b14c7218877cdff584aa5c5a7ebdda28c4439505cd32da5f2a34a58d588b61a482036646db25a36b0e134fc8369b65d8905c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0JDXA5XR\BH64WM7P.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\A3QJAJ1A.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/492-118-0x0000000000000000-mapping.dmp

Download
memory/680-137-0x0000000000000000-mapping.dmp

Download
memory/940-142-0x0000000000000000-mapping.dmp

Download
memory/972-133-0x0000000000000000-mapping.dmp

Download
memory/1328-122-0x0000000000000000-mapping.dmp

Download
memory/1328-130-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1416-141-0x0000000000000000-mapping.dmp

Download
memory/1416-149-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/1416-168-0x0000000004963000-0x0000000004964000-memory.dmp

Filesize
4KB

Download
memory/1416-166-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1416-163-0x0000000009900000-0x0000000009901000-memory.dmp

Filesize
4KB

Download
memory/1416-162-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/1416-161-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/1416-143-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1416-144-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1416-145-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1416-146-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/1416-147-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/1416-148-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/1416-160-0x00000000090D0000-0x00000000090D1000-memory.dmp

Filesize
4KB

Download
memory/1416-150-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/1416-151-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1416-152-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/1416-153-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/1416-154-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/1416-155-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/1416-156-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1508-140-0x0000000000000000-mapping.dmp

Download
memory/1676-134-0x0000000000000000-mapping.dmp

Download
memory/1768-135-0x0000000000000000-mapping.dmp

Download
memory/1992-136-0x0000000000000000-mapping.dmp

Download
memory/2252-132-0x0000000000000000-mapping.dmp

Download
memory/3208-167-0x0000000000000000-mapping.dmp

Download
memory/3924-131-0x0000000000000000-mapping.dmp

Download