buran | 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

Analysis

max time kernel
151s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-03-2022 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Size

214KB
MD5

42ea94ee3adca8b82fba15ecdde25f26
SHA1

ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512

cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram:uspex12345 Your personal ID: 4ED-42E-774 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid	Process
384	taskeng.exe
1888	taskeng.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	Process
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Paint_PDP.xml	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\BroMDL2.2.33.ttf	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxb.ttf	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluCCFilesEmpty_180x180.svg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W3.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96_altform-unplated.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-400.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\avatar_group_large.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\ReadPublish.xht.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.4ED-42E-774	taskeng.exe
File created	C:\Program Files\Java\jre1.8.0_66\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.4ED-42E-774	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-125.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\dropdownarrow_16x16x32.png	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Token: SeDebugPrivilege	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Token: SeIncreaseQuotaPrivilege	3392	WMIC.exe
Token: SeSecurityPrivilege	3392	WMIC.exe
Token: SeTakeOwnershipPrivilege	3392	WMIC.exe
Token: SeLoadDriverPrivilege	3392	WMIC.exe
Token: SeSystemProfilePrivilege	3392	WMIC.exe
Token: SeSystemtimePrivilege	3392	WMIC.exe
Token: SeProfSingleProcessPrivilege	3392	WMIC.exe
Token: SeIncBasePriorityPrivilege	3392	WMIC.exe
Token: SeCreatePagefilePrivilege	3392	WMIC.exe
Token: SeBackupPrivilege	3392	WMIC.exe
Token: SeRestorePrivilege	3392	WMIC.exe
Token: SeShutdownPrivilege	3392	WMIC.exe
Token: SeDebugPrivilege	3392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3392	WMIC.exe
Token: SeRemoteShutdownPrivilege	3392	WMIC.exe
Token: SeUndockPrivilege	3392	WMIC.exe
Token: SeManageVolumePrivilege	3392	WMIC.exe
Token: 33	3392	WMIC.exe
Token: 34	3392	WMIC.exe
Token: 35	3392	WMIC.exe
Token: 36	3392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	116	WMIC.exe
Token: SeSecurityPrivilege	116	WMIC.exe
Token: SeTakeOwnershipPrivilege	116	WMIC.exe
Token: SeLoadDriverPrivilege	116	WMIC.exe
Token: SeSystemProfilePrivilege	116	WMIC.exe
Token: SeSystemtimePrivilege	116	WMIC.exe
Token: SeProfSingleProcessPrivilege	116	WMIC.exe
Token: SeIncBasePriorityPrivilege	116	WMIC.exe
Token: SeCreatePagefilePrivilege	116	WMIC.exe
Token: SeBackupPrivilege	116	WMIC.exe
Token: SeRestorePrivilege	116	WMIC.exe
Token: SeShutdownPrivilege	116	WMIC.exe
Token: SeDebugPrivilege	116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	116	WMIC.exe
Token: SeRemoteShutdownPrivilege	116	WMIC.exe
Token: SeUndockPrivilege	116	WMIC.exe
Token: SeManageVolumePrivilege	116	WMIC.exe
Token: 33	116	WMIC.exe
Token: 34	116	WMIC.exe
Token: 35	116	WMIC.exe
Token: 36	116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	116	WMIC.exe
Token: SeSecurityPrivilege	116	WMIC.exe
Token: SeTakeOwnershipPrivilege	116	WMIC.exe
Token: SeLoadDriverPrivilege	116	WMIC.exe
Token: SeSystemProfilePrivilege	116	WMIC.exe
Token: SeSystemtimePrivilege	116	WMIC.exe
Token: SeProfSingleProcessPrivilege	116	WMIC.exe
Token: SeIncBasePriorityPrivilege	116	WMIC.exe
Token: SeCreatePagefilePrivilege	116	WMIC.exe
Token: SeBackupPrivilege	116	WMIC.exe
Token: SeRestorePrivilege	116	WMIC.exe
Token: SeShutdownPrivilege	116	WMIC.exe
Token: SeDebugPrivilege	116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	116	WMIC.exe
Token: SeRemoteShutdownPrivilege	116	WMIC.exe
Token: SeUndockPrivilege	116	WMIC.exe
Token: SeManageVolumePrivilege	116	WMIC.exe
Token: 33	116	WMIC.exe
Token: 34	116	WMIC.exe
Token: 35	116	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exetaskeng.execmd.execmd.exe

description	pid	Process	procid_target
PID 3020 wrote to memory of 384	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	81
PID 3020 wrote to memory of 384	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	81
PID 3020 wrote to memory of 384	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	81
PID 3020 wrote to memory of 4064	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	82
PID 3020 wrote to memory of 4064	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	82
PID 3020 wrote to memory of 4064	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	82
PID 3020 wrote to memory of 4064	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	82
PID 3020 wrote to memory of 4064	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	82
PID 3020 wrote to memory of 4064	3020	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	82
PID 384 wrote to memory of 1560	384	taskeng.exe	88
PID 384 wrote to memory of 1560	384	taskeng.exe	88
PID 384 wrote to memory of 1560	384	taskeng.exe	88
PID 384 wrote to memory of 2376	384	taskeng.exe	94
PID 384 wrote to memory of 2376	384	taskeng.exe	94
PID 384 wrote to memory of 2376	384	taskeng.exe	94
PID 384 wrote to memory of 1592	384	taskeng.exe	89
PID 384 wrote to memory of 1592	384	taskeng.exe	89
PID 384 wrote to memory of 1592	384	taskeng.exe	89
PID 384 wrote to memory of 2368	384	taskeng.exe	93
PID 384 wrote to memory of 2368	384	taskeng.exe	93
PID 384 wrote to memory of 2368	384	taskeng.exe	93
PID 384 wrote to memory of 1756	384	taskeng.exe	92
PID 384 wrote to memory of 1756	384	taskeng.exe	92
PID 384 wrote to memory of 1756	384	taskeng.exe	92
PID 384 wrote to memory of 1836	384	taskeng.exe	91
PID 384 wrote to memory of 1836	384	taskeng.exe	91
PID 384 wrote to memory of 1836	384	taskeng.exe	91
PID 384 wrote to memory of 1888	384	taskeng.exe	90
PID 384 wrote to memory of 1888	384	taskeng.exe	90
PID 384 wrote to memory of 1888	384	taskeng.exe	90
PID 1560 wrote to memory of 3392	1560	cmd.exe	101
PID 1560 wrote to memory of 3392	1560	cmd.exe	101
PID 1560 wrote to memory of 3392	1560	cmd.exe	101
PID 1836 wrote to memory of 116	1836	cmd.exe	102
PID 1836 wrote to memory of 116	1836	cmd.exe	102
PID 1836 wrote to memory of 116	1836	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
"C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1592
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2376
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
1c7207d15a7f303c73d5d89d6aae43be

SHA1
19fe550a31cf89ab706e3ebcd6fcc78ca57bdeac

SHA256
52a8f1b16a9d4bcec89850a5f6d30488cd8390d0e6bc19eaea5a138d5dc64dc9

SHA512
d6216aa45ffcd9345139792c94a55d53fe40f775d42a6d6127fc2cb066c653bdc005d133ed85d73aa34f1bcf634c221c7624a7e840c2424cf1f29a2bcd088342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4

MD5
0f96cf32580efc867ff48db74bc92e4b

SHA1
2d16ce1151807b1cc5445db9bd511d0a2c90cf01

SHA256
7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

SHA512
9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
c167da7b8b4c7fcda6675c7e0088f400

SHA1
994596505635ae1ea5d515c3812bde4da71453da

SHA256
393c90d40294d1f9e4875acc639b3c1b0207a68c7ca49aaf715f97746c128062

SHA512
8fbb72b5d58e34709eb545ab324112d4392f3af389b68b1e184d885ea210f529dede92167578687f47c1b40e49341cbbd62eaf8d71dc09397b5d44a4c9b767f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
e95ce7eb9ff29dab01883fa689cf16eb

SHA1
8d7bc727c9228207e7ecf2734cdc99af26e54856

SHA256
2a3b46516c4b955739728bbf890d1c8b8e3bb31d05126571f526b9472354098c

SHA512
e08a3f5d0ffe4cc62c02741c0c1245ce187a21e197686b877ec1cab350aa5cc4629a3d57b00d3b9596acb53f809db49c298f0a7d647a4d2ff4aba43dcc1d7d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
8b6fceb9c3d70296b1695c932fe1a365

SHA1
9b8457a968e0e4d1b5ea3818a8d36e996f0eda09

SHA256
78dac802f2d02aa3c931d810f316ba5df64345c950470b7cc588225bbe950132

SHA512
5b131ab5942a1b681cbd43d10ef225818a3f3e323583aa1db70631bc02498d0474c2a26552942df42fe639d237d511cdc01da9463e6a4805853ab4ce813f8d21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4

MD5
9802c4aee6f15d3e915e79ba50a2ad85

SHA1
a2babf90d5a6de6fcc7d83075f07800f6ba96774

SHA256
2bf1f3d4d0447d84b3a8cb59d7aadeeda24324872a6d0646f5f1d444becae254

SHA512
a0623c03b8e01229903bb30e2e32670f15945e858edffa61ae795ebaa26228cec02302cfcb341c01d97b9aec1d7425309f86040fd253c11553de94c729cdb075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
318b0c28312a438eb23d2b2f0a0714c6

SHA1
bf96c1e4583499884c181a125905ce37e9d23db3

SHA256
572c72af167abeea0fea8aedb0d72118ecab9a7f870fae52fe976d6f04d5bfae

SHA512
284d6dcb667284102676ae6f41ec67b348780a32a94951673b1eb98e9d7d51730f091fadef0a6b33d23c74cd11aaae671e2f94efa16d5e1f9d634193efdfcfc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\1KUCEL9L.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\NJ9Y0POH.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
memory/4064-134-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download