55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb

General

Target

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
Size

69KB
MD5

a2de690489ee5d8b3cd06fdea0a63670
SHA1

5f94ad2d365ae9c233b3f9ef68470c03e45aba64
SHA256

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb
SHA512

0fb16a63055cc5cd13464ce3d414f7efe8c41abe4da98614629d2af2116ea9f2742edaaf7ca77ef33a26b8e0552e9bc149edbec7029b87c24fb77cd2d674a476

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\StartUndo.tiff	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Users\Admin\Pictures\SkipPing.tiff	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureDebug.tiff	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\blank.jtp	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14844_.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.LEX	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB8.BDR	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3B.BDR	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18190_.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\DenyAssert.ttc	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216516.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\da.pak	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\THOCR.PSP	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\PMAILEXT.ECF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1484 vssadmin.exe

pid	process
1484	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

pid	process
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
Token: SeImpersonatePrivilege	1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
Token: SeBackupPrivilege	4252	vssvc.exe
Token: SeRestorePrivilege	4252	vssvc.exe
Token: SeAuditPrivilege	4252	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe

description	pid	process	target process
PID 1288 wrote to memory of 1484	1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe	vssadmin.exe
PID 1288 wrote to memory of 1484	1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe	vssadmin.exe
PID 1288 wrote to memory of 1484	1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe	vssadmin.exe
PID 1288 wrote to memory of 1484	1288	55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe
"C:\Users\Admin\AppData\Local\Temp\55cdf7ea2da073657b79bed6ac128f61c20519a41715b1675c509face60fb9bb.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1288-55-0x0000000030C70000-0x0000000030CED000-memory.dmp

Filesize
500KB

Download
memory/1288-56-0x0000000002790000-0x000000000280D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads