buran | 54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-03-2022 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe
Size

446KB
MD5

567204cbb8d1c5908a5316f9dfdcb353
SHA1

cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA256

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512

ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: [email protected] ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 11E-ED2-55F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

spoolsv.exespoolsv.exe

pid process

1648 spoolsv.exe
840 spoolsv.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

spoolsv.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\PingEnter.tiff spoolsv.exe
Loads dropped DLL 2 IoCs

Processes:

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exespoolsv.exe

pid process

1264 54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe
1648 spoolsv.exe

pid	process
1648	spoolsv.exe
840	spoolsv.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\PingEnter.tiff	spoolsv.exe

pid	process
1264	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe
1648	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	process
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe

Drops file in Program Files directory 64 IoCs

Processes:

spoolsv.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187829.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0136865.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00956_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.11E-ED2-55F	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152590.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01866_.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF.11E-ED2-55F	spoolsv.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mspub.exe.manifest	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285750.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR19F.GIF.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.11E-ED2-55F	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	spoolsv.exe

Drops file in Windows directory 1 IoCs

Processes:

spoolsv.exe

description ioc process

File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT spoolsv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 936 WerFault.exe notepad.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1596 vssadmin.exe
552 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe

pid	pid_target	process	target process
1684	936	WerFault.exe	notepad.exe

pid	process
1596	vssadmin.exe
552	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exespoolsv.execmd.execmd.execmd.exenotepad.exe

description	pid	process	target process
PID 1264 wrote to memory of 1648	1264	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe	spoolsv.exe
PID 1264 wrote to memory of 1648	1264	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe	spoolsv.exe
PID 1264 wrote to memory of 1648	1264	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe	spoolsv.exe
PID 1264 wrote to memory of 1648	1264	54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe	spoolsv.exe
PID 1648 wrote to memory of 576	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 576	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 576	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 576	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 608	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 608	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 608	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 608	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 988	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 988	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 988	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 988	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1832	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1832	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1832	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1832	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1092	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1092	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1092	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 1092	1648	spoolsv.exe	cmd.exe
PID 1648 wrote to memory of 840	1648	spoolsv.exe	spoolsv.exe
PID 1648 wrote to memory of 840	1648	spoolsv.exe	spoolsv.exe
PID 1648 wrote to memory of 840	1648	spoolsv.exe	spoolsv.exe
PID 1648 wrote to memory of 840	1648	spoolsv.exe	spoolsv.exe
PID 1656 wrote to memory of 1596	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1596	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1596	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1596	1656	cmd.exe	vssadmin.exe
PID 576 wrote to memory of 1472	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1472	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1472	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1472	576	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1688	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1688	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1688	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1688	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 552	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 552	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 552	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 552	1092	cmd.exe	vssadmin.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 1648 wrote to memory of 936	1648	spoolsv.exe	notepad.exe
PID 936 wrote to memory of 1684	936	notepad.exe	WerFault.exe
PID 936 wrote to memory of 1684	936	notepad.exe	WerFault.exe
PID 936 wrote to memory of 1684	936	notepad.exe	WerFault.exe
PID 936 wrote to memory of 1684	936	notepad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe
"C:\Users\Admin\AppData\Local\Temp\54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1596

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1832

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 196
4⤵
- Program crash
PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
49f30697c634c40272e3aa13c370279f

SHA1
bd543555d20162a2afcfb3a0f85cde37b7faf0db

SHA256
c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3

SHA512
ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\Desktop\BlockMerge.mp3.11E-ED2-55F
MD5
7f3e64219cfcc28d0a99d1110ee9ed6b

SHA1
74b23fa6b2b0a8b0dffbe27f4c2026030a62aa11

SHA256
f33db048ca4d195f447f3f411ce9d5ef1c38287b7e7fd6ad4cacb863e79c236c

SHA512
74fe140cc08deea2294e6263d02f6cabbb9097b5cdc83f1998f139406b16bda54f931c3a85560f24e1853c248c7ee2dc175944102977d14f1ac1bfad8bf0aa7c

Download Submit
C:\Users\Admin\Desktop\ClearDismount.inf.11E-ED2-55F
MD5
f831afe1e6bae46d4478b21f5acb1e3b

SHA1
eb20d1d2f9eea66597d1f7e5912cf42bc18db521

SHA256
d00bce44250dbd2f301910584d9055fd1a0dc1cf6285dfc9afc9e90951146e2f

SHA512
33de17895b38a41545a67623179e81c12cd6ce51bcfb8b5d658f20248cb1fddc63fff56613a050a6b2c1e893d6308d1843c96e8da29d0ab89ca241d20a499ae5

Download Submit
C:\Users\Admin\Desktop\ClearUninstall.xps.11E-ED2-55F
MD5
23a71170119eaad00f5e6113788d1052

SHA1
e82641ac9e2286fd75993367673cebf3f326ae01

SHA256
8bc426bd9a95cbfbf037a02345598451eea14cb861d9dcf36af3239f05bb7df3

SHA512
de9e35f78909597ffe8097ed4ea503894d5f43ff1ca31f197360e29a2d7cb3e488850f47cb1fa4b9a12ca4e721af5075418b93ea561100f2d97fff54f5e870b7

Download Submit
C:\Users\Admin\Desktop\ConfirmImport.cab.11E-ED2-55F
MD5
99e88c12b395b1daac6316da2acc0221

SHA1
fdfc728e6da4a97ca6790fabe0bd904e40904395

SHA256
7cb3558598e2a0b2bae19d269fa1cc0be20edf5802ef855c436c8820b0291991

SHA512
3ccf11ed4d4f90a1a12dac9b73442c63ae96b7b6d79aad1c8127859b78749b1383f8a43adae7a8d0d5e8d9d9d3df24c9b9e3d3d28d9fd5a2092ce7ad77b6d27c

Download Submit
C:\Users\Admin\Desktop\FormatDismount.pptm.11E-ED2-55F
MD5
d75ff2ac790c5a7928392c167364234e

SHA1
832d7dd4400cc677c3f363eb478e6e2aeffb221b

SHA256
596a3176a98bff7e75071655bf9707c05afb1a88d09bd5a80a525edd237a8f07

SHA512
4bf6cb7635dee2c013fb121f9bf817422aaa8fef1953804724b649865a62e1d7590493453d775a32e7f0ff023e1503a54661ee0130036dfcba6c37e35896509d

Download Submit
C:\Users\Admin\Desktop\GrantRemove.wma.11E-ED2-55F
MD5
f89be963d5c4cb2a9b02a41751eabe23

SHA1
7047acb68910b798ab295f33bd76f30f396da8af

SHA256
856c41c06b1469787dec70df1fcecc478a357939806d0bba5c5d4fc2411f3506

SHA512
3309914b8348adbc8526ce072eface7327557e666d9564ac81ca417111898674ec5eb1d378cfcbea679180042db82abc21359e9fcb9b35f1fc5a60b78d3e6bb6

Download Submit
C:\Users\Admin\Desktop\InvokeSplit.rm.11E-ED2-55F
MD5
336c59863a5ba215bb007bd10aa34c98

SHA1
e1c2ffccea4002f852a3546ba3812ef7339ea1ab

SHA256
3abd6fc942ccdcefae789cb7f524877d7a1dccd2265848601d05beae45f8099c

SHA512
1d41c1913f81a942b66fe63684d17585e4bd6f97d41d295f9105e5bfb4ca6a8dbd4cae7ce4eb3faf3bead2df689bd8dad4d78b5af10ee4d3e6933acdc2755369

Download Submit
C:\Users\Admin\Desktop\JoinWrite.exe.11E-ED2-55F
MD5
90d520a4978a2991960f100d1cb4999c

SHA1
205ff910de3def12480f3e248b230da3a608281d

SHA256
85e280913038836968868ea91d773bcacd53584e053e1c68977017b84cff2e8e

SHA512
dad82ff11751be569b6f272624a2bb8143e6eb902172b228169ad2564d00c51f71c3a0d8eba4480cdf299769b5f99afcaa7c35d7109dd7eb8c65123052c4678b

Download Submit
C:\Users\Admin\Desktop\LockFormat.xps.11E-ED2-55F
MD5
98b57f74770ee0b53851f7930b257e66

SHA1
7cd9907ba45c22ff2c75fda18c9f9a6049fd9e8b

SHA256
6d2cacaf3a2b5a0757c7c4eb5cf0b36fd375116a09d19d357b893e3c798b133f

SHA512
57e0770cc4cd4c8408c21e9655890fea25cd885e87a60584554f82e0cbd8401e2d7cb1faad060a96ff4610555764793738e56bc2969906ba5aa6cb4cc257739c

Download Submit
C:\Users\Admin\Desktop\LockUnlock.vb.11E-ED2-55F
MD5
c6b440c2d044f6ed2ec9a8561525cbb6

SHA1
bf710171001c10457cd855a4f0c78c40c46e0923

SHA256
533fc6d9447012e0ddfcbdbc469f12581b729a3986274749590fc695c7f0639f

SHA512
d6fe30cb7e12297095c1a1ea30c24947d4bee334577c2af93974ca7170b17cd573a292d9b365120d5f4e62e41b1f33d83a5413d2ad703018f6114810708e5464

Download Submit
C:\Users\Admin\Desktop\ProtectLimit.vb.11E-ED2-55F
MD5
819410229ae088a83c9c1ecd7367e903

SHA1
1e56259bcb233b6fe21ee5e572e2de4c0b44d196

SHA256
bf6e8b0edadb1f8a0514ef1d4d885bac3b6d512d1e888bc7c60716eb71a68cf2

SHA512
6f2f69bf82d4808bcc22871091a9da2416e72a8004d4d0e1ec1125c5eeb12cfabf8f36ea95c9a8432e2e42b1ae356581c771691493d6678f62ee3e06cf3d0289

Download Submit
C:\Users\Admin\Desktop\PushLock.wmv.11E-ED2-55F
MD5
662a72b1bd438bb81e3f497e67aa36e0

SHA1
8a53ba5b18ae7bb23dd4f9c803bbd5d06218ba0d

SHA256
3604c412f64d896f498280364cd2e2d47fe853cc001b2ff3678cdb01aa1131bf

SHA512
9fcbeb85b522ed4b0738ab20162bdd79cea80e5ac141077d26827c5cd9630f6871f008a25f619b408a78d3eb62ffe149a93530968af1803f4b4344b77e09272e

Download Submit
C:\Users\Admin\Desktop\RenameRevoke.contact.11E-ED2-55F
MD5
cce2bc72b17c088c745e117ea6b39851

SHA1
6d3ea4e91bab88117279d5d9f000004398820585

SHA256
9df3d41d4ab2550fc19d85b1ac49559dbe4590892a4708b2a802d8e130cda5c2

SHA512
fb65f71ca56ac0ea79b031ed0616196e002079c5a2a099ba4494df284524d2f46a0c24940175fe3374fb745e44685227a9787767838d0b95f80e23da953d10f7

Download Submit
C:\Users\Admin\Desktop\RepairInvoke.pcx.11E-ED2-55F
MD5
f4e551dd732b33735d5eb22eb9a4b46e

SHA1
0b72fe556fa25cdc2ce46c0f4a0a3a4f80277dbd

SHA256
9f87485ca6b84b6e8f12ca16a7ba609d54830dd4ae9a22a9933019e5a6165aac

SHA512
a0bf5f26ceba25fec8739645e354380a504855e5ec92caca73ab9cb177304a197e674aee331b5578c5fbd1497b49866b0bc331ec43ef5b469fa78c99673cac1c

Download Submit
C:\Users\Admin\Desktop\RequestConvertFrom.3gp.11E-ED2-55F
MD5
c2ea580dfd2e6aa60dd8f32717db33a7

SHA1
3400783096115d7704ca397fcdeb2a014330f325

SHA256
81bb71583c6730860afe70f146872bf6c27688fe7d61bfbaacd17e397a8b661c

SHA512
2dd771a18de7a4bac80039746f3fd2374e05a9d59abfb559cdb170c9962c0800936739e8179079a7ee3f1c2bafeec6332441dc82c10b5fcbe0bb48e1ddfa2a7a

Download Submit
C:\Users\Admin\Desktop\ResetMove.001.11E-ED2-55F
MD5
477615b024a8a1c6fa734ac4a4226e4b

SHA1
4a477a5375bf9b99e9b4feaf04fba6e0d43334b7

SHA256
9e89084e2231ca093322fe2afd895237d1b258ad51a958f2c5b132cc2d835d02

SHA512
075d88c6affb2d75a80747f7b2c4ae40bc24ae89a342ee8c2818a7131d291e7b79340a7cf20b3084092d14a716f28288546b71101a82aec2ef4144f3e71f1418

Download Submit
C:\Users\Admin\Desktop\RestoreMeasure.mpv2.11E-ED2-55F
MD5
22af50f529e9179be99885e34e2504bd

SHA1
dcf16f4449e6d5dcbb4c30b9479e43b852074ef6

SHA256
dbb9653cfbb43c439ea41e554f9cd5bcffa5668feb7706b90b20dec9992684f9

SHA512
8e19779b25b1c604f8e67d493ac0989d07fc685d4469587b7d195a46402311a15ea107b0a7f443d96015c8a13a205dce9b4d29bc2eba4f3285f11baed1001a4c

Download Submit
C:\Users\Admin\Desktop\SetAssert.potm.11E-ED2-55F
MD5
071017cdf738f82db83b51635c7a0874

SHA1
c602fe55fca97c3805b60c26622dfdc9d13da668

SHA256
94f712fe6f54bd859c834ad27f4ac86f09ed2ff7c79f1c32d79cfa6437542529

SHA512
9b272a61976c2097a198d012d5e1c9de60522cd3163145bcad77aef56643f4ef5b197b9fa8fd5b1d7854b0079de505e04383ad305e22719eb8cab3ca3ff0f44e

Download Submit
C:\Users\Admin\Desktop\TestFind.ogg.11E-ED2-55F
MD5
5b3de6e73d86349a775f34cbd61b821c

SHA1
f9d9559880c4adfb163b45525cf70fa0e8ad5f19

SHA256
da0881f51e002c3e03219980e927c6184b00ca45dd3b91fc1a4de7d41045cdba

SHA512
52c47d2c0d78a7580f8c9a28ec3227c43c3e5ce7c4f86f7f3040cdbbc7cf3ce134232f9c4f6599e53aa7ffdb6295c24c7f8fa80e3e020745b6aee126c76b33c8

Download Submit
C:\Users\Admin\Desktop\TraceSkip.shtml.11E-ED2-55F
MD5
fbf76358abb105b43085a912c5eaa716

SHA1
c44f9dc7efebbfd4d7e0333b938529e3b08c2cab

SHA256
699e0f4ab380c521017203e637cbbd23652be5bf6346d9b1146def9d3587220b

SHA512
56abdf8ddb87abd9eba5bcc7a31d307df909e437f135ea2a1976ea710ceb3185dfbde94b66de5af7991d1f460fa794bd06c3cd1af6d8d59572c965e13fedab51

Download Submit
C:\Users\Admin\Desktop\UndoStep.ttf.11E-ED2-55F
MD5
fd372bd876fb6ca9c1f18abbb47511b3

SHA1
27c559b08fdc591b59ce19d4c4946fd05e16c82e

SHA256
11925548fe2fed7451ed33618717c587a2a4bfa69b9425413a0b3a18c62bd090

SHA512
ce85832a9ad4e7aa7db5db43962b925ae296d4bd9423f2752932b8998810f0202107f714c2bfd5d996409fba5f75cb3484cb67712ff38d233f56f121560c7982

Download Submit
C:\Users\Admin\Desktop\WaitSearch.aiff.11E-ED2-55F
MD5
d8cf910046077185a4720320284c4239

SHA1
ffc364f93682ac56c3a0c7dc952e91be63fcf5ca

SHA256
4515f8561baf1f507712e329c8eb02f53b15a90886628eec74f95680ee9486cf

SHA512
3ae4830ab6778466300cf3c96e20c7b54af8c32c112e5afb43235c0cd94c2e38f6fc20fd7f2fa29d00b8a168f8fee4ddc14890720db976f5bb15f568db5674a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
memory/840-68-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/840-67-0x0000000001E40000-0x0000000001FD2000-memory.dmp

Filesize
1.6MB

Download
memory/936-92-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1264-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/1264-57-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1264-56-0x0000000001F30000-0x00000000020C2000-memory.dmp

Filesize
1.6MB

Download
memory/1648-61-0x0000000002080000-0x0000000002212000-memory.dmp

Filesize
1.6MB

Download
memory/1648-62-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads