buran | 4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144

Analysis

max time kernel
4294192s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe
Size

217KB
MD5

cffe48eed73a2006503d1094dd7e07bf
SHA1

2484ea7e8661d7f21aadb7fb4d79748bc7baae73
SHA256

4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144
SHA512

959cd0e7ad00e019301747b0eb4f080f1e2227d360f01f6095c7fc2a8876158b1fbe644f9fc5156c290bbf756a62df26244cc3a94f811cdd9f6ef67c422af5eb

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: _______________ and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: _______________ Reserved email: _______________ Your personal ID: 664-2E4-EF9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

_______________

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1808 explorer.exe
1536 explorer.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

explorer.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\DebugUnlock.tiff explorer.exe

pid	process
1808	explorer.exe
1536	explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DebugUnlock.tiff	explorer.exe

Loads dropped DLL 2 IoCs

Processes:

4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe

pid	process
1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe
1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18205_.WMF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART2.BDR	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js	explorer.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui	explorer.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29B.GIF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	explorer.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099158.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCL.ICO.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF	explorer.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00914_.WMF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	explorer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBCALSO.POC.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULQOT98.POC	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00668_.WMF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.664-2E4-EF9	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.664-2E4-EF9	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

576 588 WerFault.exe notepad.exe
624 1764 WerFault.exe notepad.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1000 vssadmin.exe
1564 vssadmin.exe

pid	pid_target	process	target process
576	588	WerFault.exe	notepad.exe
624	1764	WerFault.exe	notepad.exe

pid	process
1000	vssadmin.exe
1564	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe
Token: SeDebugPrivilege	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1632	WMIC.exe
Token: SeSecurityPrivilege	1632	WMIC.exe
Token: SeTakeOwnershipPrivilege	1632	WMIC.exe
Token: SeLoadDriverPrivilege	1632	WMIC.exe
Token: SeSystemProfilePrivilege	1632	WMIC.exe
Token: SeSystemtimePrivilege	1632	WMIC.exe
Token: SeProfSingleProcessPrivilege	1632	WMIC.exe
Token: SeIncBasePriorityPrivilege	1632	WMIC.exe
Token: SeCreatePagefilePrivilege	1632	WMIC.exe
Token: SeBackupPrivilege	1632	WMIC.exe
Token: SeRestorePrivilege	1632	WMIC.exe
Token: SeShutdownPrivilege	1632	WMIC.exe
Token: SeDebugPrivilege	1632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1632	WMIC.exe
Token: SeRemoteShutdownPrivilege	1632	WMIC.exe
Token: SeUndockPrivilege	1632	WMIC.exe
Token: SeManageVolumePrivilege	1632	WMIC.exe
Token: 33	1632	WMIC.exe
Token: 34	1632	WMIC.exe
Token: 35	1632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1632	WMIC.exe
Token: SeSecurityPrivilege	1632	WMIC.exe
Token: SeTakeOwnershipPrivilege	1632	WMIC.exe
Token: SeLoadDriverPrivilege	1632	WMIC.exe
Token: SeSystemProfilePrivilege	1632	WMIC.exe
Token: SeSystemtimePrivilege	1632	WMIC.exe
Token: SeProfSingleProcessPrivilege	1632	WMIC.exe
Token: SeIncBasePriorityPrivilege	1632	WMIC.exe
Token: SeCreatePagefilePrivilege	1632	WMIC.exe
Token: SeBackupPrivilege	1632	WMIC.exe
Token: SeRestorePrivilege	1632	WMIC.exe
Token: SeShutdownPrivilege	1632	WMIC.exe
Token: SeDebugPrivilege	1632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1632	WMIC.exe
Token: SeRemoteShutdownPrivilege	1632	WMIC.exe
Token: SeUndockPrivilege	1632	WMIC.exe
Token: SeManageVolumePrivilege	1632	WMIC.exe
Token: 33	1632	WMIC.exe
Token: 34	1632	WMIC.exe
Token: 35	1632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exenotepad.exeexplorer.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1808	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	explorer.exe
PID 1668 wrote to memory of 1808	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	explorer.exe
PID 1668 wrote to memory of 1808	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	explorer.exe
PID 1668 wrote to memory of 1808	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	explorer.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 1668 wrote to memory of 588	1668	4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe	notepad.exe
PID 588 wrote to memory of 576	588	notepad.exe	WerFault.exe
PID 588 wrote to memory of 576	588	notepad.exe	WerFault.exe
PID 588 wrote to memory of 576	588	notepad.exe	WerFault.exe
PID 588 wrote to memory of 576	588	notepad.exe	WerFault.exe
PID 1808 wrote to memory of 432	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 432	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 432	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 432	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 844	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 844	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 844	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 844	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 296	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 296	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 296	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 296	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2008	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2008	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2008	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2008	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2000	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2000	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2000	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2000	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2004	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2004	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2004	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 2004	1808	explorer.exe	cmd.exe
PID 1808 wrote to memory of 1536	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1536	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1536	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1536	1808	explorer.exe	explorer.exe
PID 432 wrote to memory of 1928	432	cmd.exe	WMIC.exe
PID 432 wrote to memory of 1928	432	cmd.exe	WMIC.exe
PID 432 wrote to memory of 1928	432	cmd.exe	WMIC.exe
PID 432 wrote to memory of 1928	432	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1000	2000	cmd.exe	vssadmin.exe
PID 2000 wrote to memory of 1000	2000	cmd.exe	vssadmin.exe
PID 2000 wrote to memory of 1000	2000	cmd.exe	vssadmin.exe
PID 2000 wrote to memory of 1000	2000	cmd.exe	vssadmin.exe
PID 2004 wrote to memory of 1632	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1632	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1632	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1632	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1564	2004	cmd.exe	vssadmin.exe
PID 2004 wrote to memory of 1564	2004	cmd.exe	vssadmin.exe
PID 2004 wrote to memory of 1564	2004	cmd.exe	vssadmin.exe
PID 2004 wrote to memory of 1564	2004	cmd.exe	vssadmin.exe
PID 1808 wrote to memory of 1764	1808	explorer.exe	notepad.exe
PID 1808 wrote to memory of 1764	1808	explorer.exe	notepad.exe
PID 1808 wrote to memory of 1764	1808	explorer.exe	notepad.exe
PID 1808 wrote to memory of 1764	1808	explorer.exe	notepad.exe
PID 1808 wrote to memory of 1764	1808	explorer.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe
"C:\Users\Admin\AppData\Local\Temp\4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1564

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 196
4⤵
- Program crash
PID:624

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 196
3⤵
- Program crash
PID:576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:804

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
cffe48eed73a2006503d1094dd7e07bf

SHA1
2484ea7e8661d7f21aadb7fb4d79748bc7baae73

SHA256
4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144

SHA512
959cd0e7ad00e019301747b0eb4f080f1e2227d360f01f6095c7fc2a8876158b1fbe644f9fc5156c290bbf756a62df26244cc3a94f811cdd9f6ef67c422af5eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
cffe48eed73a2006503d1094dd7e07bf

SHA1
2484ea7e8661d7f21aadb7fb4d79748bc7baae73

SHA256
4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144

SHA512
959cd0e7ad00e019301747b0eb4f080f1e2227d360f01f6095c7fc2a8876158b1fbe644f9fc5156c290bbf756a62df26244cc3a94f811cdd9f6ef67c422af5eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
cffe48eed73a2006503d1094dd7e07bf

SHA1
2484ea7e8661d7f21aadb7fb4d79748bc7baae73

SHA256
4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144

SHA512
959cd0e7ad00e019301747b0eb4f080f1e2227d360f01f6095c7fc2a8876158b1fbe644f9fc5156c290bbf756a62df26244cc3a94f811cdd9f6ef67c422af5eb

Download Submit
C:\Users\Admin\Desktop\ApproveSuspend.odt.664-2E4-EF9
MD5
eb7d410ea61ab50339a674b4af3ad082

SHA1
323277cefd87705ecb63145843bf76700ca3c767

SHA256
aa0be32f97d8f34533299fce284dc520ad671412d040d0dfae33026850db0f2e

SHA512
a447258a0edfe5b07ad459b023969b31d08ba18374bb491c2267bdc5dd2836a506860fc9dfe206416d1f2d2b767c5627b7d837da35d71e7d5330d554e0d79e97

Download Submit
C:\Users\Admin\Desktop\CompareConnect.mov.664-2E4-EF9
MD5
bb2cec0ba18e8455ef149bd1cecb8fee

SHA1
372f493b1697afcea65be7ff75fd7524d83fbd9d

SHA256
60586babd5bb9b9cb2360aa3d329516e5388ae139bf0f80ef6af78e350cd8267

SHA512
b10f03c48f19b6e42c554e7b3ddd93957933ccc56a789bd1d1d89cfaefa1a226cc6a4f2a9338c315227008683d5649e521408e0907c857ffeade18c0aee4bc6c

Download Submit
C:\Users\Admin\Desktop\CompareExpand.lock.664-2E4-EF9
MD5
4a375ad3f3b15a513c9acf9d0c579e4a

SHA1
86d0abc79c696ba755a8bf1267c84c29b6aa2378

SHA256
ef7ebb87452a32efdccf4cd361934da37e0f36aa2942cc5c2e45e34450c453b5

SHA512
bc338c2a927097d3a131380538246a1286ce0d9687fab98da89ecd16eb9e4c5e5dcb507452cb16a419a7b4aa25fde5c5473637158959b4ad3723f5cfa9d6b133

Download Submit
C:\Users\Admin\Desktop\ConnectConvertTo.dwfx.664-2E4-EF9
MD5
5377acbdf24d7fef0ca9ea5a2e77aa9d

SHA1
39bf001f3d95748481b90ae79faed9994f831931

SHA256
68baecb1814d0bece7a46c1c33f459827473660d9e9ca9386a1644c4e5a907cf

SHA512
eab73e3b05df093bea2fb6844e0d384d3ca1b7ab58cf0115af7f3e2f84709f746a0c27bbf5c6e51223f18881ccb3375a5adab5c232a2f5555350254ba18bf05f

Download Submit
C:\Users\Admin\Desktop\DenyRestart.dot.664-2E4-EF9
MD5
71e0a8137186163620779da9f39ec25a

SHA1
b4f38c2ce081a5f42559a5329a0dacad2cb0beb8

SHA256
406e627039e9c8f4de0cb05b7e70bc40c1070dc177a9ffb6fcbeac556301ca65

SHA512
5e9efcb8913dfa5ca66e7bedc20713d5cad94e9ab15fc911046cd2de8e74571457278b9f12a3bcb7af1ce568d0cf9a5d0183b21b7ed4550c560738aa760c5ce6

Download Submit
C:\Users\Admin\Desktop\ExpandResolve.mp4.664-2E4-EF9
MD5
319085825be9b8253d860623d7604400

SHA1
35cbf4e36dcbc7ec07b6a4879dac2c14f06b5f48

SHA256
3853818c197a49738d19e64e8ec3f4e4378bbac3917d5b2658f65b55e335fb47

SHA512
901408d816fbff8a95a33e47eb96984097e739ff98a493b031d5927d3af0606a8ed6dc6f80a0d26e308187e3fe4a6568d635c48ef705eae2f2ccd3a4829f2d1e

Download Submit
C:\Users\Admin\Desktop\FindRequest.3g2.664-2E4-EF9
MD5
b600ff6c4fdeb075415b185fa847d892

SHA1
ac0a47fa32685121a6946356343ee387f9ae6051

SHA256
8ed8169e938a227593a1cd5c85bdd6ae0baa97c7b10e0cc95506f5a6e1f050bb

SHA512
e18679e8e2345538e0e52afb266d56db1821b5403de43931e3e20ab8c17368e8801b4f1ed273cd87b3065e7caa101f8ffbff6158a8ea6ca2c352901a8ccce795

Download Submit
C:\Users\Admin\Desktop\MergeUninstall.rm.664-2E4-EF9
MD5
37d1d953d3b774803bf0c50de777d588

SHA1
8a28570489a8a5793393ad9ee5245a41d2dd3f54

SHA256
8f021680aa11049ab754e5803edf9fb40fcff510cdba199da291d96743c5b04a

SHA512
0738106d4636c307040571077158a7e16251a0e90b5ab9e1c23228d3f4d08907ad440c20fc79ebb4cdec36765e6d061d6283de0a45ddcd29204b095eaf651727

Download Submit
C:\Users\Admin\Desktop\MountShow.ogg.664-2E4-EF9
MD5
dae79866a4d571c2feff77be0d41136d

SHA1
dfe6c98df94668a297ff6ad78464708331ea7332

SHA256
711850ead0c7e44b4b2042a004023d1835c87bc753ec0e93f644470d0692f14f

SHA512
289d7251d675b67e11b4c61256476b10e43b0fd3cc0c2345eacf1282af032365aed23a4aa71b34fcbb023bc265ec3c41dc5722e89a62c9cd89a7c210f6e0251a

Download Submit
C:\Users\Admin\Desktop\PushRequest.wma.664-2E4-EF9
MD5
4f0cec6af850d299f20282e910a06623

SHA1
23db96b8a9490bf0c8fd2b822eec6058fe7244a3

SHA256
70e9e1f2123c5dd7dfc1ca45ee3b6616561b41c621ac5e9bfb1b4c10c797af6f

SHA512
e0404770e8a3de03c2b8413ac0770a05936fbf297bb298518424cde10918fc03874bf65597c65096e7d934e059793a1abef65aced1be52f116ba28a15e119940

Download Submit
C:\Users\Admin\Desktop\RenameClear.vdx.664-2E4-EF9
MD5
e40abb81aab7543a702d4daef98715eb

SHA1
76b11d52bfb03c2e70514f51c4f7ad81c8cfebbc

SHA256
d8ee9917fe9396b15270724a9e4f97dcd2bd6896e71566f08b5431f76ea951ad

SHA512
7fd564e05baed1dc24a290fac6e355fccc4ec93676e9e097a8f5845557500f30c763e1cb6521bb1e00abcc7338990cf35a0e21ed449d159cc18908d4cf8481e4

Download Submit
C:\Users\Admin\Desktop\RequestBackup.xml.664-2E4-EF9
MD5
f511d309703f19dcd5c97bb85af2d503

SHA1
26f88c3e0639b528e60fb31405b6d1e2055486c5

SHA256
5c432a03f57d07ad14cbb693d289e9808db3510725a1320e75a6bca6dc7e5cb9

SHA512
b9c253fbbada5d6abc26dcc7b391a56c0d2c53ac66f805c4a9b77700d1ec5928d7cdb405cca8679f6b24ab2f36a204fe0ae4a72c85b533f6c5fac29dd7107c52

Download Submit
C:\Users\Admin\Desktop\SelectPush.avi.664-2E4-EF9
MD5
c3e39480b6aa012fd0e7d7d471fa5852

SHA1
a24e9fe5858883111ed86f3f10660e0fa37bc5e4

SHA256
51dc957459ea6f5613e6a436649310f5375230f37d4655aba9e9592d6907cec2

SHA512
1e27aafa0d21dd7c9a434b765e5edaf433950e041ffc7c6084ccf96b3245f341ffec80a6fb88784f65dc674d18ea5731674140af601e26a43959367929d4753e

Download Submit
C:\Users\Admin\Desktop\SkipClear.WTV.664-2E4-EF9
MD5
e0b9941accb881a752c7b335aba43dbc

SHA1
cac182312a54d7db8f0d8bb01736f9c0b5484ead

SHA256
9212f0b310cf098d5ac4fc6d89e954ad79d4ae171360abd789ced2478e9329c3

SHA512
8e780b36f96372d091b3abd91bde0a4c2d27fa23f8f02f7c64afa680b8beb5c40f7f9962be5b6e483f02abf34e734abd41618b02420e6e7c68be32413984c9cd

Download Submit
C:\Users\Admin\Desktop\SkipConfirm.3gp2.664-2E4-EF9
MD5
a84618af5e381ad100e9331d83a77b90

SHA1
d673616f486063839f31a8ed169f2fed3dd312f0

SHA256
0f80eb61a03a9576edbb60afc26d9031ad8555ba9af5344bae05925466acc595

SHA512
52237fdf2cd1bb9c41b8a5e012a3fb2281de6e66b1b2474e1151aa7fbedc151eb7bd0a975a544a25a655ab61dd2dc7dd417c21e9e30f34ddd42296ae2ad49154

Download Submit
C:\Users\Admin\Desktop\SkipImport.vssx.664-2E4-EF9
MD5
511081cc1cba7453fe6cf358f0fcb6a6

SHA1
39a07a0452fc4f6fb83f390272deba580710dffc

SHA256
80606e38541798e06d67b9019d47bdccef4eac0a8a4faddf28cb7e65dff1357b

SHA512
901a86b75710d8bd5b9c7bc5abca6a96eda00a6022a6ec497616d8cf45c60f90c15678344bbedd63362989e5dc58c223c2936b09942ddf5a2c0543e6ca39e0e6

Download Submit
C:\Users\Admin\Desktop\SkipLock.m4a.664-2E4-EF9
MD5
b66ffcdeb4c0ddd40110c5d0d6f55589

SHA1
a6272490ce9546a0db279fbe76a6f2fee9783e90

SHA256
87670db9a46d90c73c7d7eb448512b1701cce7be8afb4e68f25e2bd246d3c603

SHA512
eab9c74bc9ea6dbb3452f8c61ebbeb9942c4b8356405114c7a1ce431f4b6126066de61af033da620098bceb5d7ac0cb2acaa51e86a8e25927958bcc400c6f5ad

Download Submit
C:\Users\Admin\Desktop\TraceSearch.docm.664-2E4-EF9
MD5
c627561bac5b68ae8c904aaae6564a89

SHA1
349388aaf587031c1f56841ffabf5f994bf20c0a

SHA256
0e3914b3af4903f09aefff1db7c97211038534afbbcc2bbf37e6aa80ab0010be

SHA512
7552504d1b453cf4b1e9179ee74a4f01d9707ce0040072d230331cb4d9913c9e9a12bfcae42fb6385e137798d941b9a54f9cb65cf08f97786cc955067a384f6b

Download Submit
C:\Users\Admin\Desktop\UpdateMove.pptm.664-2E4-EF9
MD5
dab95028d855b4e2df131cc5bddaf78f

SHA1
5f13889551988240a5546c06228155f686f23761

SHA256
ea6026bced3a3a230519e831463d1ba52a52c3b3ff9c647b38b3632ef01221e0

SHA512
9c9ee5415eb911473a485fdc5d814f5c2eab924055bcc279728dbd9520c89bcddfec483157971f8280a4e0cdba1cadb0906a71ccc18ddb96fd56c641038b6f6a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
cffe48eed73a2006503d1094dd7e07bf

SHA1
2484ea7e8661d7f21aadb7fb4d79748bc7baae73

SHA256
4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144

SHA512
959cd0e7ad00e019301747b0eb4f080f1e2227d360f01f6095c7fc2a8876158b1fbe644f9fc5156c290bbf756a62df26244cc3a94f811cdd9f6ef67c422af5eb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
cffe48eed73a2006503d1094dd7e07bf

SHA1
2484ea7e8661d7f21aadb7fb4d79748bc7baae73

SHA256
4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144

SHA512
959cd0e7ad00e019301747b0eb4f080f1e2227d360f01f6095c7fc2a8876158b1fbe644f9fc5156c290bbf756a62df26244cc3a94f811cdd9f6ef67c422af5eb

Download Submit
memory/588-59-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1668-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads