buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
159s
max time network
168s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-03-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 8DE-654-A44 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
1156	15sp.exe
524	mesager43.exe
752	taskeng.exe
2044	taskeng.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001263c-83.dat	upx
behavioral1/files/0x000600000001263c-84.dat	upx
behavioral1/files/0x000600000001263c-85.dat	upx
behavioral1/files/0x000600000001263c-86.dat	upx
behavioral1/files/0x00080000000131fe-88.dat	upx
behavioral1/files/0x00080000000131fe-90.dat	upx
behavioral1/files/0x00080000000131fe-89.dat	upx
behavioral1/files/0x00080000000131fe-110.dat	upx
behavioral1/files/0x00080000000131fe-111.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1216	cmd.exe
1984	cmd.exe
1984	cmd.exe
524	mesager43.exe
524	mesager43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AddNew.tmp	taskeng.exe
File opened for modification	C:\Program Files\DismountSelect.png	taskeng.exe
File opened for modification	C:\Program Files\LimitPublish.001.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\MergeDismount.DVR.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UnblockMove.ico	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ApproveSkip.otf	taskeng.exe
File opened for modification	C:\Program Files\ConnectMount.css.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DismountUnpublish.crw.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\PublishWait.jpeg.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\PushAdd.css	taskeng.exe
File opened for modification	C:\Program Files\RenameSwitch.vbe	taskeng.exe
File opened for modification	C:\Program Files\RestoreSplit.jfif.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\SplitUnprotect.scf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\SuspendShow.pot	taskeng.exe
File opened for modification	C:\Program Files\CheckpointRequest.TTS	taskeng.exe
File opened for modification	C:\Program Files\RedoDismount.M2V.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ResolveUnprotect.wmv.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UnlockMerge.xht	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	taskeng.exe
File created	C:\Program Files\7-Zip\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\CheckpointRequest.TTS.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ResolveUnprotect.wmv	taskeng.exe
File opened for modification	C:\Program Files\RestoreSplit.jfif	taskeng.exe
File opened for modification	C:\Program Files\UndoWrite.m4v	taskeng.exe
File opened for modification	C:\Program Files\RemoveCopy.m4v.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\RevokePublish.odt	taskeng.exe
File opened for modification	C:\Program Files\UnlockMerge.xht.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DenyWrite.otf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\MergeRevoke.emf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\PushAdd.css.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UnblockCompress.js	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DismountSelect.png.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ImportRestore.xps	taskeng.exe
File opened for modification	C:\Program Files\ReceiveFormat.mov.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\RedoDismount.M2V	taskeng.exe
File opened for modification	C:\Program Files\SelectDebug.tif	taskeng.exe
File opened for modification	C:\Program Files\DebugConvertFrom.vsw	taskeng.exe
File opened for modification	C:\Program Files\DismountExpand.temp	taskeng.exe
File opened for modification	C:\Program Files\DismountUnpublish.crw	taskeng.exe
File opened for modification	C:\Program Files\HideRestart.wma	taskeng.exe
File opened for modification	C:\Program Files\RedoReceive.tiff	taskeng.exe
File opened for modification	C:\Program Files\RedoReceive.tiff.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UpdateStart.wmv	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	taskeng.exe
File opened for modification	C:\Program Files\AddNew.tmp.8DE-654-A44	taskeng.exe
File created	C:\Program Files\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\ExportDisconnect.jtx	taskeng.exe
File opened for modification	C:\Program Files\ExportDisconnect.jtx.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\FindResume.tif	taskeng.exe
File opened for modification	C:\Program Files\ImportRestore.xps.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\LimitPublish.001	taskeng.exe
File opened for modification	C:\Program Files\UnprotectRestore.txt	taskeng.exe
File opened for modification	C:\Program Files\EditInvoke.dotm	taskeng.exe
File opened for modification	C:\Program Files\MergeDismount.DVR	taskeng.exe
File opened for modification	C:\Program Files\RestartRedo.pot.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UndoWrite.m4v.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ApproveSkip.otf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DenyWrite.otf	taskeng.exe
File opened for modification	C:\Program Files\SelectDebug.tif.8DE-654-A44	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1756	1256	WerFault.exe	44

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1184	timeout.exe
1148	timeout.exe
956	timeout.exe
1044	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
836	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1668	taskkill.exe
1444	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	mesager43.exe
Token: SeDebugPrivilege	524	mesager43.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	27
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	27
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	27
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	27
PID 2044 wrote to memory of 1216	2044	WScript.exe	28
PID 2044 wrote to memory of 1216	2044	WScript.exe	28
PID 2044 wrote to memory of 1216	2044	WScript.exe	28
PID 2044 wrote to memory of 1216	2044	WScript.exe	28
PID 1216 wrote to memory of 1156	1216	cmd.exe	31
PID 1216 wrote to memory of 1156	1216	cmd.exe	31
PID 1216 wrote to memory of 1156	1216	cmd.exe	31
PID 1216 wrote to memory of 1156	1216	cmd.exe	31
PID 1216 wrote to memory of 1044	1216	cmd.exe	33
PID 1216 wrote to memory of 1044	1216	cmd.exe	33
PID 1216 wrote to memory of 1044	1216	cmd.exe	33
PID 1216 wrote to memory of 1044	1216	cmd.exe	33
PID 1216 wrote to memory of 984	1216	cmd.exe	34
PID 1216 wrote to memory of 984	1216	cmd.exe	34
PID 1216 wrote to memory of 984	1216	cmd.exe	34
PID 1216 wrote to memory of 984	1216	cmd.exe	34
PID 1216 wrote to memory of 1184	1216	cmd.exe	35
PID 1216 wrote to memory of 1184	1216	cmd.exe	35
PID 1216 wrote to memory of 1184	1216	cmd.exe	35
PID 1216 wrote to memory of 1184	1216	cmd.exe	35
PID 984 wrote to memory of 1984	984	WScript.exe	36
PID 984 wrote to memory of 1984	984	WScript.exe	36
PID 984 wrote to memory of 1984	984	WScript.exe	36
PID 984 wrote to memory of 1984	984	WScript.exe	36
PID 1984 wrote to memory of 808	1984	cmd.exe	38
PID 1984 wrote to memory of 808	1984	cmd.exe	38
PID 1984 wrote to memory of 808	1984	cmd.exe	38
PID 1984 wrote to memory of 808	1984	cmd.exe	38
PID 1984 wrote to memory of 1148	1984	cmd.exe	39
PID 1984 wrote to memory of 1148	1984	cmd.exe	39
PID 1984 wrote to memory of 1148	1984	cmd.exe	39
PID 1984 wrote to memory of 1148	1984	cmd.exe	39
PID 1984 wrote to memory of 524	1984	cmd.exe	40
PID 1984 wrote to memory of 524	1984	cmd.exe	40
PID 1984 wrote to memory of 524	1984	cmd.exe	40
PID 1984 wrote to memory of 524	1984	cmd.exe	40
PID 524 wrote to memory of 752	524	mesager43.exe	43
PID 524 wrote to memory of 752	524	mesager43.exe	43
PID 524 wrote to memory of 752	524	mesager43.exe	43
PID 524 wrote to memory of 752	524	mesager43.exe	43
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 524 wrote to memory of 1256	524	mesager43.exe	44
PID 1256 wrote to memory of 1756	1256	notepad.exe	45
PID 1256 wrote to memory of 1756	1256	notepad.exe	45
PID 1256 wrote to memory of 1756	1256	notepad.exe	45
PID 1256 wrote to memory of 1756	1256	notepad.exe	45
PID 1984 wrote to memory of 1444	1984	cmd.exe	46
PID 1984 wrote to memory of 1444	1984	cmd.exe	46
PID 1984 wrote to memory of 1444	1984	cmd.exe	46
PID 1984 wrote to memory of 1444	1984	cmd.exe	46
PID 1984 wrote to memory of 1668	1984	cmd.exe	49
PID 1984 wrote to memory of 1668	1984	cmd.exe	49
PID 1984 wrote to memory of 1668	1984	cmd.exe	49
PID 1984 wrote to memory of 1668	1984	cmd.exe	49
PID 1984 wrote to memory of 1692	1984	cmd.exe	50

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
808	attrib.exe
1692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
"C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ssd\onset\81ldp.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\ssd\onset\15sp.exe
      "15sp.exe" e -psion0811 01s.rar
      4⤵
      Executes dropped EXE
      PID:1156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:1044
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ssd\onset\sata1.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ssd\"
        6⤵
        Views/modifies file attributes
        
        PID:808
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1148
      - C:\ssd\onset\mesager43.exe
        
        mesager43.exe /start
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Modifies system certificate store
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        8⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        8⤵
        
        PID:520
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        9⤵
        Interacts with shadow copies
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        8⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2044
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 196
        8⤵
        Program crash
        
        PID:1756
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\ssd\onset\mesager43.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1692
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-93-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1588-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads