Analysis
-
max time kernel
4294211s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
06-03-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Resource
win10v2004-en-20220113
General
-
Target
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
-
Size
214KB
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
-
SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2
-
SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
-
SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 272 svchost.exe 1480 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\V: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK.822-7B1-847 svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF svchost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.822-7B1-847 svchost.exe File created C:\Program Files\Java\jdk1.7.0_80\db\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy svchost.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H svchost.exe File opened for modification C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\dnsns.jar.822-7B1-847 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1672 1988 WerFault.exe 30 -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1980 vssadmin.exe 1092 vssadmin.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Token: SeDebugPrivilege 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Token: SeIncreaseQuotaPrivilege 1596 WMIC.exe Token: SeSecurityPrivilege 1596 WMIC.exe Token: SeTakeOwnershipPrivilege 1596 WMIC.exe Token: SeLoadDriverPrivilege 1596 WMIC.exe Token: SeSystemProfilePrivilege 1596 WMIC.exe Token: SeSystemtimePrivilege 1596 WMIC.exe Token: SeProfSingleProcessPrivilege 1596 WMIC.exe Token: SeIncBasePriorityPrivilege 1596 WMIC.exe Token: SeCreatePagefilePrivilege 1596 WMIC.exe Token: SeBackupPrivilege 1596 WMIC.exe Token: SeRestorePrivilege 1596 WMIC.exe Token: SeShutdownPrivilege 1596 WMIC.exe Token: SeDebugPrivilege 1596 WMIC.exe Token: SeSystemEnvironmentPrivilege 1596 WMIC.exe Token: SeRemoteShutdownPrivilege 1596 WMIC.exe Token: SeUndockPrivilege 1596 WMIC.exe Token: SeManageVolumePrivilege 1596 WMIC.exe Token: 33 1596 WMIC.exe Token: 34 1596 WMIC.exe Token: 35 1596 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe Token: SeTakeOwnershipPrivilege 2004 WMIC.exe Token: SeLoadDriverPrivilege 2004 WMIC.exe Token: SeSystemProfilePrivilege 2004 WMIC.exe Token: SeSystemtimePrivilege 2004 WMIC.exe Token: SeProfSingleProcessPrivilege 2004 WMIC.exe Token: SeIncBasePriorityPrivilege 2004 WMIC.exe Token: SeCreatePagefilePrivilege 2004 WMIC.exe Token: SeBackupPrivilege 2004 WMIC.exe Token: SeRestorePrivilege 2004 WMIC.exe Token: SeShutdownPrivilege 2004 WMIC.exe Token: SeDebugPrivilege 2004 WMIC.exe Token: SeSystemEnvironmentPrivilege 2004 WMIC.exe Token: SeRemoteShutdownPrivilege 2004 WMIC.exe Token: SeUndockPrivilege 2004 WMIC.exe Token: SeManageVolumePrivilege 2004 WMIC.exe Token: 33 2004 WMIC.exe Token: 34 2004 WMIC.exe Token: 35 2004 WMIC.exe Token: SeIncreaseQuotaPrivilege 1596 WMIC.exe Token: SeSecurityPrivilege 1596 WMIC.exe Token: SeTakeOwnershipPrivilege 1596 WMIC.exe Token: SeLoadDriverPrivilege 1596 WMIC.exe Token: SeSystemProfilePrivilege 1596 WMIC.exe Token: SeSystemtimePrivilege 1596 WMIC.exe Token: SeProfSingleProcessPrivilege 1596 WMIC.exe Token: SeIncBasePriorityPrivilege 1596 WMIC.exe Token: SeCreatePagefilePrivilege 1596 WMIC.exe Token: SeBackupPrivilege 1596 WMIC.exe Token: SeRestorePrivilege 1596 WMIC.exe Token: SeShutdownPrivilege 1596 WMIC.exe Token: SeDebugPrivilege 1596 WMIC.exe Token: SeSystemEnvironmentPrivilege 1596 WMIC.exe Token: SeRemoteShutdownPrivilege 1596 WMIC.exe Token: SeUndockPrivilege 1596 WMIC.exe Token: SeManageVolumePrivilege 1596 WMIC.exe Token: 33 1596 WMIC.exe Token: 34 1596 WMIC.exe Token: 35 1596 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 29 PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 29 PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 29 PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 29 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 30 PID 1988 wrote to memory of 1672 1988 notepad.exe 31 PID 1988 wrote to memory of 1672 1988 notepad.exe 31 PID 1988 wrote to memory of 1672 1988 notepad.exe 31 PID 1988 wrote to memory of 1672 1988 notepad.exe 31 PID 272 wrote to memory of 1380 272 svchost.exe 33 PID 272 wrote to memory of 1380 272 svchost.exe 33 PID 272 wrote to memory of 1380 272 svchost.exe 33 PID 272 wrote to memory of 1380 272 svchost.exe 33 PID 272 wrote to memory of 916 272 svchost.exe 34 PID 272 wrote to memory of 916 272 svchost.exe 34 PID 272 wrote to memory of 916 272 svchost.exe 34 PID 272 wrote to memory of 916 272 svchost.exe 34 PID 272 wrote to memory of 456 272 svchost.exe 37 PID 272 wrote to memory of 456 272 svchost.exe 37 PID 272 wrote to memory of 456 272 svchost.exe 37 PID 272 wrote to memory of 456 272 svchost.exe 37 PID 272 wrote to memory of 1472 272 svchost.exe 42 PID 272 wrote to memory of 1472 272 svchost.exe 42 PID 272 wrote to memory of 1472 272 svchost.exe 42 PID 272 wrote to memory of 1472 272 svchost.exe 42 PID 272 wrote to memory of 1504 272 svchost.exe 41 PID 272 wrote to memory of 1504 272 svchost.exe 41 PID 272 wrote to memory of 1504 272 svchost.exe 41 PID 272 wrote to memory of 1504 272 svchost.exe 41 PID 272 wrote to memory of 612 272 svchost.exe 40 PID 272 wrote to memory of 612 272 svchost.exe 40 PID 272 wrote to memory of 612 272 svchost.exe 40 PID 272 wrote to memory of 612 272 svchost.exe 40 PID 272 wrote to memory of 1480 272 svchost.exe 39 PID 272 wrote to memory of 1480 272 svchost.exe 39 PID 272 wrote to memory of 1480 272 svchost.exe 39 PID 272 wrote to memory of 1480 272 svchost.exe 39 PID 1380 wrote to memory of 1596 1380 cmd.exe 43 PID 1380 wrote to memory of 1596 1380 cmd.exe 43 PID 1380 wrote to memory of 1596 1380 cmd.exe 43 PID 1380 wrote to memory of 1596 1380 cmd.exe 43 PID 1504 wrote to memory of 1980 1504 cmd.exe 48 PID 1504 wrote to memory of 1980 1504 cmd.exe 48 PID 1504 wrote to memory of 1980 1504 cmd.exe 48 PID 1504 wrote to memory of 1980 1504 cmd.exe 48 PID 612 wrote to memory of 2004 612 cmd.exe 47 PID 612 wrote to memory of 2004 612 cmd.exe 47 PID 612 wrote to memory of 2004 612 cmd.exe 47 PID 612 wrote to memory of 2004 612 cmd.exe 47 PID 612 wrote to memory of 1092 612 cmd.exe 51 PID 612 wrote to memory of 1092 612 cmd.exe 51 PID 612 wrote to memory of 1092 612 cmd.exe 51 PID 612 wrote to memory of 1092 612 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe"C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:456
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:1472
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1963⤵
- Program crash
PID:1672
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1448