buran | 442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
05/03/2022, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
Size

214KB
MD5

2f1ecf99dd8a2648dd013c5fe6ecb6f5
SHA1

121c377693b96eef8e84861f091ef47e6fb6cae5
SHA256

442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
SHA512

793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 163-CC3-CC9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\F:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\Z:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\Y:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\U:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\L:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\J:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\E:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\N:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\M:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\H:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\G:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\B:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\X:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\W:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\P:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\R:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\Q:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\K:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\I:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\A:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\V:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\T:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened (read-only)	\??\S:	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Dismiss.scale-80.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxSignature.p7x	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_In_App_Notification.m4a	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea22.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-200.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-256.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner.svg	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jscripts\wefgallerywinrt.js	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_contrast-white.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-20_altform-unplated.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-100.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-128.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1346565761-3498240568-4147300184-1000-MergedResources-0.pri	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-400.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-100.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-disabled.svg.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.ebbfea5f.pri	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-100.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-125_contrast-white.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32_altform-unplated.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_contrast-black.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GlassPixelShader.cso	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-white.png	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.163-CC3-CC9	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	112	WMIC.exe
Token: SeSecurityPrivilege	112	WMIC.exe
Token: SeTakeOwnershipPrivilege	112	WMIC.exe
Token: SeLoadDriverPrivilege	112	WMIC.exe
Token: SeSystemProfilePrivilege	112	WMIC.exe
Token: SeSystemtimePrivilege	112	WMIC.exe
Token: SeProfSingleProcessPrivilege	112	WMIC.exe
Token: SeIncBasePriorityPrivilege	112	WMIC.exe
Token: SeCreatePagefilePrivilege	112	WMIC.exe
Token: SeBackupPrivilege	112	WMIC.exe
Token: SeRestorePrivilege	112	WMIC.exe
Token: SeShutdownPrivilege	112	WMIC.exe
Token: SeDebugPrivilege	112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	112	WMIC.exe
Token: SeRemoteShutdownPrivilege	112	WMIC.exe
Token: SeUndockPrivilege	112	WMIC.exe
Token: SeManageVolumePrivilege	112	WMIC.exe
Token: 33	112	WMIC.exe
Token: 34	112	WMIC.exe
Token: 35	112	WMIC.exe
Token: 36	112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	224	WMIC.exe
Token: SeSecurityPrivilege	224	WMIC.exe
Token: SeTakeOwnershipPrivilege	224	WMIC.exe
Token: SeLoadDriverPrivilege	224	WMIC.exe
Token: SeSystemProfilePrivilege	224	WMIC.exe
Token: SeSystemtimePrivilege	224	WMIC.exe
Token: SeProfSingleProcessPrivilege	224	WMIC.exe
Token: SeIncBasePriorityPrivilege	224	WMIC.exe
Token: SeCreatePagefilePrivilege	224	WMIC.exe
Token: SeBackupPrivilege	224	WMIC.exe
Token: SeRestorePrivilege	224	WMIC.exe
Token: SeShutdownPrivilege	224	WMIC.exe
Token: SeDebugPrivilege	224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	224	WMIC.exe
Token: SeRemoteShutdownPrivilege	224	WMIC.exe
Token: SeUndockPrivilege	224	WMIC.exe
Token: SeManageVolumePrivilege	224	WMIC.exe
Token: 33	224	WMIC.exe
Token: 34	224	WMIC.exe
Token: 35	224	WMIC.exe
Token: 36	224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	224	WMIC.exe
Token: SeSecurityPrivilege	224	WMIC.exe
Token: SeTakeOwnershipPrivilege	224	WMIC.exe
Token: SeLoadDriverPrivilege	224	WMIC.exe
Token: SeSystemProfilePrivilege	224	WMIC.exe
Token: SeSystemtimePrivilege	224	WMIC.exe
Token: SeProfSingleProcessPrivilege	224	WMIC.exe
Token: SeIncBasePriorityPrivilege	224	WMIC.exe
Token: SeCreatePagefilePrivilege	224	WMIC.exe
Token: SeBackupPrivilege	224	WMIC.exe
Token: SeRestorePrivilege	224	WMIC.exe
Token: SeShutdownPrivilege	224	WMIC.exe
Token: SeDebugPrivilege	224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	224	WMIC.exe
Token: SeRemoteShutdownPrivilege	224	WMIC.exe
Token: SeUndockPrivilege	224	WMIC.exe
Token: SeManageVolumePrivilege	224	WMIC.exe
Token: 33	224	WMIC.exe
Token: 34	224	WMIC.exe
Token: 35	224	WMIC.exe
Token: 36	224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	112	WMIC.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2260	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	89
PID 2800 wrote to memory of 2260	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	89
PID 2800 wrote to memory of 2260	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	89
PID 2800 wrote to memory of 2224	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	90
PID 2800 wrote to memory of 2224	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	90
PID 2800 wrote to memory of 2224	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	90
PID 2800 wrote to memory of 1728	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	91
PID 2800 wrote to memory of 1728	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	91
PID 2800 wrote to memory of 1728	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	91
PID 2800 wrote to memory of 1940	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	92
PID 2800 wrote to memory of 1940	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	92
PID 2800 wrote to memory of 1940	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	92
PID 2800 wrote to memory of 1924	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	93
PID 2800 wrote to memory of 1924	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	93
PID 2800 wrote to memory of 1924	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	93
PID 2800 wrote to memory of 2320	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	94
PID 2800 wrote to memory of 2320	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	94
PID 2800 wrote to memory of 2320	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	94
PID 2800 wrote to memory of 4068	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	95
PID 2800 wrote to memory of 4068	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	95
PID 2800 wrote to memory of 4068	2800	442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe	95
PID 2260 wrote to memory of 224	2260	cmd.exe	102
PID 2260 wrote to memory of 224	2260	cmd.exe	102
PID 2260 wrote to memory of 224	2260	cmd.exe	102
PID 2320 wrote to memory of 112	2320	cmd.exe	103
PID 2320 wrote to memory of 112	2320	cmd.exe	103
PID 2320 wrote to memory of 112	2320	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
"C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
  "C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:4068