buran | 4091eb184d556bdb2234d8cc85042546264defc1fcc791538813b755d9255c86

Analysis

max time kernel
120s
max time network
118s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-12-2021 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1184.exe
Size

250KB
MD5

17ba757ef56ce371b152db6a3c0dd288
SHA1

094f68da6ba10ce0b30815e9179aa59f67b454ef
SHA256

4091eb184d556bdb2234d8cc85042546264defc1fcc791538813b755d9255c86
SHA512

6b375cdf488498f3fae0992d7636ea1d701625abdc07425be244a1524d89887908f2ec548cf9bb8a72578adc0bfd9509559c3dced1be3f5c0bfe3484d00868ae

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 4AE-A5A-936 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

hgfdfds.exespoolsv.exespoolsv.exe

pid process

2512 hgfdfds.exe
420 spoolsv.exe
1276 spoolsv.exe

pid	process
2512	hgfdfds.exe
420	spoolsv.exe
1276	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run	hgfdfds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	hgfdfds.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	process
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 geoiptool.com

flow	ioc
18	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

spoolsv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-150.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\MedTile.scale-125.png	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\sr-latn-cs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\management.properties	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Icons.ttf	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\rs_16x11.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleWideTile.scale-200.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.kd8eby0.4AE-A5A-936	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-125.png	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-200.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-white.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	spoolsv.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48_altform-unplated.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24_altform-unplated.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg.kd8eby0.4AE-A5A-936	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-over.mobile.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fr_16x11.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_32x32x32.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-white.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js.kd8eby0.4AE-A5A-936	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.kd8eby0.4AE-A5A-936	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2112 vssadmin.exe

pid	process
2112	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hgfdfds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hgfdfds.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3912 powershell.exe
3912 powershell.exe
3912 powershell.exe

pid	process
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hgfdfds.exeWMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2512	hgfdfds.exe
Token: SeDebugPrivilege	2512	hgfdfds.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: 36	1272	WMIC.exe
Token: SeBackupPrivilege	2444	vssvc.exe
Token: SeRestorePrivilege	2444	vssvc.exe
Token: SeAuditPrivilege	2444	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: 36	1272	WMIC.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeIncreaseQuotaPrivilege	4048	WMIC.exe
Token: SeSecurityPrivilege	4048	WMIC.exe
Token: SeTakeOwnershipPrivilege	4048	WMIC.exe
Token: SeLoadDriverPrivilege	4048	WMIC.exe
Token: SeSystemProfilePrivilege	4048	WMIC.exe
Token: SeSystemtimePrivilege	4048	WMIC.exe
Token: SeProfSingleProcessPrivilege	4048	WMIC.exe
Token: SeIncBasePriorityPrivilege	4048	WMIC.exe
Token: SeCreatePagefilePrivilege	4048	WMIC.exe
Token: SeBackupPrivilege	4048	WMIC.exe
Token: SeRestorePrivilege	4048	WMIC.exe
Token: SeShutdownPrivilege	4048	WMIC.exe
Token: SeDebugPrivilege	4048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4048	WMIC.exe
Token: SeRemoteShutdownPrivilege	4048	WMIC.exe
Token: SeUndockPrivilege	4048	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1184.exehgfdfds.exespoolsv.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2284 wrote to memory of 2512	2284	1184.exe	hgfdfds.exe
PID 2284 wrote to memory of 2512	2284	1184.exe	hgfdfds.exe
PID 2284 wrote to memory of 2512	2284	1184.exe	hgfdfds.exe
PID 2512 wrote to memory of 420	2512	hgfdfds.exe	spoolsv.exe
PID 2512 wrote to memory of 420	2512	hgfdfds.exe	spoolsv.exe
PID 2512 wrote to memory of 420	2512	hgfdfds.exe	spoolsv.exe
PID 2512 wrote to memory of 2216	2512	hgfdfds.exe	notepad.exe
PID 2512 wrote to memory of 2216	2512	hgfdfds.exe	notepad.exe
PID 2512 wrote to memory of 2216	2512	hgfdfds.exe	notepad.exe
PID 2512 wrote to memory of 2216	2512	hgfdfds.exe	notepad.exe
PID 2512 wrote to memory of 2216	2512	hgfdfds.exe	notepad.exe
PID 2512 wrote to memory of 2216	2512	hgfdfds.exe	notepad.exe
PID 420 wrote to memory of 1440	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1440	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1440	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 2776	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 2776	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 2776	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1192	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1192	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1192	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1504	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1504	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1504	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 596	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 596	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 596	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 364	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 364	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 364	420	spoolsv.exe	cmd.exe
PID 420 wrote to memory of 1276	420	spoolsv.exe	spoolsv.exe
PID 420 wrote to memory of 1276	420	spoolsv.exe	spoolsv.exe
PID 420 wrote to memory of 1276	420	spoolsv.exe	spoolsv.exe
PID 596 wrote to memory of 2112	596	cmd.exe	vssadmin.exe
PID 596 wrote to memory of 2112	596	cmd.exe	vssadmin.exe
PID 596 wrote to memory of 2112	596	cmd.exe	vssadmin.exe
PID 1440 wrote to memory of 1272	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 1272	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 1272	1440	cmd.exe	WMIC.exe
PID 364 wrote to memory of 3912	364	cmd.exe	powershell.exe
PID 364 wrote to memory of 3912	364	cmd.exe	powershell.exe
PID 364 wrote to memory of 3912	364	cmd.exe	powershell.exe
PID 364 wrote to memory of 4048	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 4048	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 4048	364	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\1184.exe
"C:\Users\Admin\AppData\Local\Temp\1184.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Public\Videos\hgfdfds.exe
"C:\Users\Public\Videos\hgfdfds.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
4⤵
PID:2776

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:1192

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
279be26aad260b946ffef7c3b84af047

SHA1
d3e611f11b66ad92de797954256f9f782c19e262

SHA256
242e762985f758451e42708685818beaf0d9bd6842836ec1c13f682fa218158f

SHA512
74028b86cf93a8ec9067b96a033ee42eec1080e8a96c1ffa95f85cc0d9343638528cc6343c3b10095804e727a2e4e749bf2e254864b79a1de16cdcf4fab4d414

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
dd0d6606151d8041eb3961af54fd8345

SHA1
2b2efaf447c34a8018fb56dedab8c43e32a0c18a

SHA256
db4f82f58c90ed085aca2495fe575545a2c81aeaf488760b4952017b65dec208

SHA512
65684d02a3d9271e835db198a1718825bc3410b083f2f74be39d1b072986669596f0a9e26edb6a2a01759ce458f2953ad0bf03dc5ad3ae0cf6d7839e2993fe1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a4ce9d27fc3d4962e6d516a3396718a3

SHA1
8b59693be7f9eba072861fd7ef8b441a147d0f09

SHA256
b3d1cc229ea6dfb56ce7efa60cd6f550fd155d0148bf6e869c33df67931eee3c

SHA512
02e83d76266c7603cfa4ca00af14f720d9cf7ac5eb66a59cc2670c6cba4a32406d2a9ac4d1d43a8222b762e473c646ee8154aae9e3dcba071a7f431c1bb195be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
05d31dbca70f57d12969a0f60aba6ad3

SHA1
f170c2615fce989193a2383fc575c6c5e9a9aff3

SHA256
e985fcf69c7a05053a041d49a4abc00dd30450c60c22419145352a8c12083ed3

SHA512
3f5b30b6cbba34ccafee9b1c26e860173671634f154d74fbcf3f75db574a090b077e610eb7b7253cd23d5c55b4b2650c453a7a9e4683a9c12afdf6a533be61b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3d9d0a0b762735840a99f4826e67c378

SHA1
43b19fe83762e96c54ddb2969d8015807216d424

SHA256
9844ec817ce2652ce77c7c4866c87388eab12ec973f8d9f65cc79db16077eb89

SHA512
1872a844b5cbf2450a59dd2b7d35780fb48b134cf64946aa006476ca694f22e1bcacabe91bccb82bea867e95d9ea67d736de9181e3a039a4a4e5e131df958dd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
69a57e0e7cf10d02798c0179ee72476f

SHA1
85f437b039e1950f06ad38cad85c50beec2055af

SHA256
2088e167967972c263700c377c50374527816734a42afbe56402c7bdcd3de039

SHA512
11aa7cfe399c7a06ac28f14dd1f323c9cae2b25ebc65d24a5a8e560b1ea42309f996d6ab04e8d52579cd211c6ea339b894c6b87858347d2e45f5d54d33112282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCJJ9ZOX\6CJ2U6FV.htm
MD5
a86c948b42ceda429fc5132fe95a65d7

SHA1
1e5433c55eb57b7dd6cbaf59f0701f027cd64fc0

SHA256
7d04d781251d6520f01f5ce6fcce399c774499e947ff1a7509ba0d9affdbc447

SHA512
daae68b891656a469d06ead87b06e67403bc3a96843b34f7c16acd3127d525b3e0a84e2830b664aa3c3b34189f2752f4b25602d1f76f02661e8bbd5fc1b7965e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UJMJYC0S\P7MW5P8I.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/364-136-0x0000000000000000-mapping.dmp

Download
memory/420-118-0x0000000000000000-mapping.dmp

Download
memory/596-135-0x0000000000000000-mapping.dmp

Download
memory/1192-133-0x0000000000000000-mapping.dmp

Download
memory/1272-140-0x0000000000000000-mapping.dmp

Download
memory/1276-137-0x0000000000000000-mapping.dmp

Download
memory/1440-131-0x0000000000000000-mapping.dmp

Download
memory/1504-134-0x0000000000000000-mapping.dmp

Download
memory/2112-139-0x0000000000000000-mapping.dmp

Download
memory/2216-124-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2216-121-0x0000000000000000-mapping.dmp

Download
memory/2512-115-0x0000000000000000-mapping.dmp

Download
memory/2776-132-0x0000000000000000-mapping.dmp

Download
memory/3912-148-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3912-153-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/3912-144-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3912-145-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3912-146-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/3912-147-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/3912-142-0x0000000000000000-mapping.dmp

Download
memory/3912-149-0x0000000007742000-0x0000000007743000-memory.dmp

Filesize
4KB

Download
memory/3912-150-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/3912-151-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/3912-152-0x00000000083B0000-0x00000000083B1000-memory.dmp

Filesize
4KB

Download
memory/3912-143-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3912-154-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/3912-155-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/3912-156-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3912-162-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/3912-163-0x0000000009850000-0x0000000009851000-memory.dmp

Filesize
4KB

Download
memory/3912-164-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/3912-165-0x0000000009F60000-0x0000000009F61000-memory.dmp

Filesize
4KB

Download
memory/3912-168-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3912-170-0x0000000007743000-0x0000000007744000-memory.dmp

Filesize
4KB

Download
memory/4048-169-0x0000000000000000-mapping.dmp

Download