buran | 1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

Analysis

max time kernel
152s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Size

2.7MB
MD5

4301b4d1cb937816ffe288401d8938bf
SHA1

14126bcc7b1a7ec96114fb28a74c6a4d7e008246
SHA256

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070
SHA512

82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 7D4-071-1F1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
220	smss.exe
3808	smss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\E:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\core.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	smss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms	smss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xsl.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTCORSVA.TTF.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.7D4-071-1F1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\cursors.properties.7D4-071-1F1	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Token: SeDebugPrivilege	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeRestorePrivilege	1492	WMIC.exe
Token: SeShutdownPrivilege	1492	WMIC.exe
Token: SeDebugPrivilege	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1492	WMIC.exe
Token: SeRemoteShutdownPrivilege	1492	WMIC.exe
Token: SeUndockPrivilege	1492	WMIC.exe
Token: SeManageVolumePrivilege	1492	WMIC.exe
Token: 33	1492	WMIC.exe
Token: 34	1492	WMIC.exe
Token: 35	1492	WMIC.exe
Token: 36	1492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2524	WMIC.exe
Token: SeSecurityPrivilege	2524	WMIC.exe
Token: SeTakeOwnershipPrivilege	2524	WMIC.exe
Token: SeLoadDriverPrivilege	2524	WMIC.exe
Token: SeSystemProfilePrivilege	2524	WMIC.exe
Token: SeSystemtimePrivilege	2524	WMIC.exe
Token: SeProfSingleProcessPrivilege	2524	WMIC.exe
Token: SeIncBasePriorityPrivilege	2524	WMIC.exe
Token: SeCreatePagefilePrivilege	2524	WMIC.exe
Token: SeBackupPrivilege	2524	WMIC.exe
Token: SeRestorePrivilege	2524	WMIC.exe
Token: SeShutdownPrivilege	2524	WMIC.exe
Token: SeDebugPrivilege	2524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2524	WMIC.exe
Token: SeRemoteShutdownPrivilege	2524	WMIC.exe
Token: SeUndockPrivilege	2524	WMIC.exe
Token: SeManageVolumePrivilege	2524	WMIC.exe
Token: 33	2524	WMIC.exe
Token: 34	2524	WMIC.exe
Token: 35	2524	WMIC.exe
Token: 36	2524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2524	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	2524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2524	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	2524	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	2524	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	2524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2524	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	2524	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	2524	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 220	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	66
PID 1676 wrote to memory of 220	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	66
PID 1676 wrote to memory of 220	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	66
PID 1676 wrote to memory of 3792	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	67
PID 1676 wrote to memory of 3792	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	67
PID 1676 wrote to memory of 3792	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	67
PID 1676 wrote to memory of 3792	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	67
PID 1676 wrote to memory of 3792	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	67
PID 1676 wrote to memory of 3792	1676	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	67
PID 220 wrote to memory of 2976	220	smss.exe	69
PID 220 wrote to memory of 2976	220	smss.exe	69
PID 220 wrote to memory of 2976	220	smss.exe	69
PID 220 wrote to memory of 3768	220	smss.exe	71
PID 220 wrote to memory of 3768	220	smss.exe	71
PID 220 wrote to memory of 3768	220	smss.exe	71
PID 220 wrote to memory of 2992	220	smss.exe	70
PID 220 wrote to memory of 2992	220	smss.exe	70
PID 220 wrote to memory of 2992	220	smss.exe	70
PID 220 wrote to memory of 3788	220	smss.exe	72
PID 220 wrote to memory of 3788	220	smss.exe	72
PID 220 wrote to memory of 3788	220	smss.exe	72
PID 220 wrote to memory of 3664	220	smss.exe	75
PID 220 wrote to memory of 3664	220	smss.exe	75
PID 220 wrote to memory of 3664	220	smss.exe	75
PID 220 wrote to memory of 3816	220	smss.exe	74
PID 220 wrote to memory of 3816	220	smss.exe	74
PID 220 wrote to memory of 3816	220	smss.exe	74
PID 220 wrote to memory of 3808	220	smss.exe	73
PID 220 wrote to memory of 3808	220	smss.exe	73
PID 220 wrote to memory of 3808	220	smss.exe	73
PID 2976 wrote to memory of 2524	2976	cmd.exe	82
PID 2976 wrote to memory of 2524	2976	cmd.exe	82
PID 2976 wrote to memory of 2524	2976	cmd.exe	82
PID 3816 wrote to memory of 1492	3816	cmd.exe	83
PID 3816 wrote to memory of 1492	3816	cmd.exe	83
PID 3816 wrote to memory of 1492	3816	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
"C:\Users\Admin\AppData\Local\Temp\1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3788
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3664
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3792