buran | 522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

Analysis

max time kernel
164s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
Size

214KB
MD5

82663d9b96e1cb72bab78a9f56a50678
SHA1

29a5bd379073cd3073764a4f45fac283b0febcd2
SHA256

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774
SHA512

3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: 155-9DC-526 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

284 services.exe
1628 services.exe

pid	process
284	services.exe
1628	services.exe

Loads dropped DLL 2 IoCs

Processes:

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe

pid	process
1564	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
1564	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\U:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\readme.txt	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.@payransom500 .155-9DC-526	services.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File created	C:\Program Files\Google\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DebugCopy.kix.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	services.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	services.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	services.exe
File opened for modification	C:\Program Files\UnpublishUnlock.3gpp	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h	services.exe
File opened for modification	C:\Program Files\SubmitSearch.AAC.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\FormatLimit.jpeg.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt.@payransom500 .155-9DC-526	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1848 vssadmin.exe

pid	process
1848	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exeservices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1384 powershell.exe

pid	process
1384	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

WMIC.exevssvc.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe
Token: 34	1080	WMIC.exe
Token: 35	1080	WMIC.exe
Token: SeBackupPrivilege	1408	vssvc.exe
Token: SeRestorePrivilege	1408	vssvc.exe
Token: SeAuditPrivilege	1408	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe
Token: 34	1080	WMIC.exe
Token: 35	1080	WMIC.exe
Token: SeDebugPrivilege	1384	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exeservices.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1564 wrote to memory of 284	1564	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe	services.exe
PID 1564 wrote to memory of 284	1564	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe	services.exe
PID 1564 wrote to memory of 284	1564	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe	services.exe
PID 1564 wrote to memory of 284	1564	522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe	services.exe
PID 284 wrote to memory of 544	284	services.exe	cmd.exe
PID 284 wrote to memory of 544	284	services.exe	cmd.exe
PID 284 wrote to memory of 544	284	services.exe	cmd.exe
PID 284 wrote to memory of 544	284	services.exe	cmd.exe
PID 284 wrote to memory of 1688	284	services.exe	cmd.exe
PID 284 wrote to memory of 1688	284	services.exe	cmd.exe
PID 284 wrote to memory of 1688	284	services.exe	cmd.exe
PID 284 wrote to memory of 1688	284	services.exe	cmd.exe
PID 284 wrote to memory of 1664	284	services.exe	cmd.exe
PID 284 wrote to memory of 1664	284	services.exe	cmd.exe
PID 284 wrote to memory of 1664	284	services.exe	cmd.exe
PID 284 wrote to memory of 1664	284	services.exe	cmd.exe
PID 284 wrote to memory of 1532	284	services.exe	cmd.exe
PID 284 wrote to memory of 1532	284	services.exe	cmd.exe
PID 284 wrote to memory of 1532	284	services.exe	cmd.exe
PID 284 wrote to memory of 1532	284	services.exe	cmd.exe
PID 284 wrote to memory of 1932	284	services.exe	cmd.exe
PID 284 wrote to memory of 1932	284	services.exe	cmd.exe
PID 284 wrote to memory of 1932	284	services.exe	cmd.exe
PID 284 wrote to memory of 1932	284	services.exe	cmd.exe
PID 284 wrote to memory of 560	284	services.exe	cmd.exe
PID 284 wrote to memory of 560	284	services.exe	cmd.exe
PID 284 wrote to memory of 560	284	services.exe	cmd.exe
PID 284 wrote to memory of 560	284	services.exe	cmd.exe
PID 284 wrote to memory of 1628	284	services.exe	services.exe
PID 284 wrote to memory of 1628	284	services.exe	services.exe
PID 284 wrote to memory of 1628	284	services.exe	services.exe
PID 284 wrote to memory of 1628	284	services.exe	services.exe
PID 1932 wrote to memory of 1848	1932	cmd.exe	vssadmin.exe
PID 1932 wrote to memory of 1848	1932	cmd.exe	vssadmin.exe
PID 1932 wrote to memory of 1848	1932	cmd.exe	vssadmin.exe
PID 1932 wrote to memory of 1848	1932	cmd.exe	vssadmin.exe
PID 560 wrote to memory of 1384	560	cmd.exe	powershell.exe
PID 560 wrote to memory of 1384	560	cmd.exe	powershell.exe
PID 560 wrote to memory of 1384	560	cmd.exe	powershell.exe
PID 560 wrote to memory of 1384	560	cmd.exe	powershell.exe
PID 544 wrote to memory of 1080	544	cmd.exe	WMIC.exe
PID 544 wrote to memory of 1080	544	cmd.exe	WMIC.exe
PID 544 wrote to memory of 1080	544	cmd.exe	WMIC.exe
PID 544 wrote to memory of 1080	544	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
"C:\Users\Admin\AppData\Local\Temp\522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
9eb7ce9761202f845d2e6dd6a5d38c64

SHA1
f1d6b983f61571913df7c347ed6380f49b3e6ae5

SHA256
e3c600d6a414bc83b7a0d9920f0c1d41f962c55dc8fa966fcadc927461a6f7cf

SHA512
ec25fe836cfd4b9f0d1e12250e071ba84409361f67925057c1e7cd609a1ac891b1bbae164d28df8456d5a700c600403184fcaa7b277ebefb5889fe603d89cda1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
f6fc284186499b1ec74e7b0e97540cb8

SHA1
36f163f8543d1cd0c4a36ed9cbf4aecaf2d382af

SHA256
09420bf65f3acdd595e388a9331e127003da5eb0520e86d9f27dcaf55b713192

SHA512
689e2aa233815780a2ad015e18d06dd47d2768cd08f0d30ccfdbe66382e4a3c76d1f421c099874b8cfb9ec70905e7175c6b24884579dd3b7b9d2ccb6051248a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b0f8c16035b066b326999c9f26422098

SHA1
389a9e669628fcbedc35d908dcd4675f8dba9e79

SHA256
4c0c8af07363f3d178b6dd9ae0def73e9fbec4df49a8ab1dcf60d37ead768d78

SHA512
54ee8966beccd0ad9e9650b91191eca726a5b37e86fcabd75b41f8f0544b2328f9e2bbd2ff3e9e2098feaa36f6a769e9367db2f6f74e9910be0d3b5a29081369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
da775309b721d0b55c241832f060dabd

SHA1
39a7493d03ab314c4120645c04119e7f6ab1e93b

SHA256
f31ae6f9ca3bcd2cf457f727535d2500988965ab08d3746a322bf250508ea1e5

SHA512
de8766b5aadd9e211447adefd2b3838f4db6669d1fde1ccd2b98f0832aaf86fd3c6dbc6098f6966c85583ab7b9bfc423f71da15b89c57b51cac9fef304d49cd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
84fbc91b014027c3741979e7c1ab2b74

SHA1
5af44785e8140e41b5ed8fabf3570389a220a6cf

SHA256
401da3f2fa8f3910c8c6930d468401e914ef9281ec7fbc3f81fe7d9618987cd3

SHA512
bebbffc21359e60efdaabd8c5967feac1f4010f3b75251df100e03c0ad25901924970a40122be9409e35491235b8d4264b091d4b34cca717229d3608293f913e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
786d83a77167af7b3f74187ccceaaf0e

SHA1
efbd64d83be64a3b6861b866e303bcf69e00ba65

SHA256
df262344f1ff268eb6551cb425c60429a8541ea0458269d6c34d138e6443fdad

SHA512
c300489272c6007459a8a4041ee855a7471de74a6cd9f18a4c5f0ac69870879479b93fb1ea70fa6ec3c8213185c01dda1558f836e40dcdd6ef5223d6e308b85a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
f01a4d350e05e39089a4019d3ae496dd

SHA1
12acc48648d8c57b4e40b98bf5b8d35ad993ce0d

SHA256
1e3a318ee9b5bcebd3d156b3f45c2d75ee5289713b5b918eb9e46543bfbd0c6b

SHA512
84dc14ae20a4791e4c3b822921f652804d7261b36386990a6815a91ae11fac90b2fbd910d2133a076f20dc5bff0f5a6c01a6e2e61b460f293630d3051b87bbd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
eeded83c61d10fa2c32ed1a94aa1a1c4

SHA1
4059074b99f71db6db8ca8eb56ec6745117effcf

SHA256
38a89d4799170475746b8434a048e9db0eb1965bc8f4a8d6fdfae9690b96735d

SHA512
e5c8ffb81b9da043d0eb19340c9a1d2e775143a611cff0898e698380fb0a5d1111634a4a41b4a9f7baebbf8ce36dd693a5a60735d2dfce39ffd2d0e873db21e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\VESW16BV.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
82663d9b96e1cb72bab78a9f56a50678

SHA1
29a5bd379073cd3073764a4f45fac283b0febcd2

SHA256
522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

SHA512
3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
82663d9b96e1cb72bab78a9f56a50678

SHA1
29a5bd379073cd3073764a4f45fac283b0febcd2

SHA256
522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

SHA512
3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
82663d9b96e1cb72bab78a9f56a50678

SHA1
29a5bd379073cd3073764a4f45fac283b0febcd2

SHA256
522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

SHA512
3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
82663d9b96e1cb72bab78a9f56a50678

SHA1
29a5bd379073cd3073764a4f45fac283b0febcd2

SHA256
522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

SHA512
3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
82663d9b96e1cb72bab78a9f56a50678

SHA1
29a5bd379073cd3073764a4f45fac283b0febcd2

SHA256
522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

SHA512
3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Download Submit
memory/1384-75-0x0000000072B31000-0x0000000072B32000-memory.dmp

Filesize
4KB

Download
memory/1384-76-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1384-77-0x0000000072B32000-0x0000000072B34000-memory.dmp

Filesize
8KB

Download
memory/1384-78-0x00000000025E1000-0x00000000025E2000-memory.dmp

Filesize
4KB

Download
memory/1384-79-0x00000000025E2000-0x00000000025E4000-memory.dmp

Filesize
8KB

Download
memory/1564-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download