buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
167s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06/03/2022, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 141-666-48E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
4452	15sp.exe
2392	mesager43.exe
1288	svchost.exe
472	svchost.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e79e-137.dat	upx
behavioral2/files/0x000400000001e79e-138.dat	upx
behavioral2/files/0x000400000001e7ad-139.dat	upx
behavioral2/files/0x000400000001e7ad-140.dat	upx
behavioral2/files/0x000400000001e7ad-153.dat	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mesager43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected]	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	svchost.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.141-666-48E	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.141-666-48E	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.141-666-48E	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.141-666-48E	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4072	timeout.exe
1612	timeout.exe
4400	timeout.exe
216	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4920	taskkill.exe
4264	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	mesager43.exe
Token: SeDebugPrivilege	2392	mesager43.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3156	WMIC.exe
Token: SeSecurityPrivilege	3156	WMIC.exe
Token: SeTakeOwnershipPrivilege	3156	WMIC.exe
Token: SeLoadDriverPrivilege	3156	WMIC.exe
Token: SeSystemProfilePrivilege	3156	WMIC.exe
Token: SeSystemtimePrivilege	3156	WMIC.exe
Token: SeProfSingleProcessPrivilege	3156	WMIC.exe
Token: SeIncBasePriorityPrivilege	3156	WMIC.exe
Token: SeCreatePagefilePrivilege	3156	WMIC.exe
Token: SeBackupPrivilege	3156	WMIC.exe
Token: SeRestorePrivilege	3156	WMIC.exe
Token: SeShutdownPrivilege	3156	WMIC.exe
Token: SeDebugPrivilege	3156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3156	WMIC.exe
Token: SeRemoteShutdownPrivilege	3156	WMIC.exe
Token: SeUndockPrivilege	3156	WMIC.exe
Token: SeManageVolumePrivilege	3156	WMIC.exe
Token: 33	3156	WMIC.exe
Token: 34	3156	WMIC.exe
Token: 35	3156	WMIC.exe
Token: 36	3156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3156	WMIC.exe
Token: SeSecurityPrivilege	3156	WMIC.exe
Token: SeTakeOwnershipPrivilege	3156	WMIC.exe
Token: SeLoadDriverPrivilege	3156	WMIC.exe
Token: SeSystemProfilePrivilege	3156	WMIC.exe
Token: SeSystemtimePrivilege	3156	WMIC.exe
Token: SeProfSingleProcessPrivilege	3156	WMIC.exe
Token: SeIncBasePriorityPrivilege	3156	WMIC.exe
Token: SeCreatePagefilePrivilege	3156	WMIC.exe
Token: SeBackupPrivilege	3156	WMIC.exe
Token: SeRestorePrivilege	3156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	3156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	3156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2664	2032	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	79
PID 2032 wrote to memory of 2664	2032	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	79
PID 2032 wrote to memory of 2664	2032	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	79
PID 2664 wrote to memory of 3080	2664	WScript.exe	80
PID 2664 wrote to memory of 3080	2664	WScript.exe	80
PID 2664 wrote to memory of 3080	2664	WScript.exe	80
PID 3080 wrote to memory of 4452	3080	cmd.exe	82
PID 3080 wrote to memory of 4452	3080	cmd.exe	82
PID 3080 wrote to memory of 4452	3080	cmd.exe	82
PID 3080 wrote to memory of 4072	3080	cmd.exe	83
PID 3080 wrote to memory of 4072	3080	cmd.exe	83
PID 3080 wrote to memory of 4072	3080	cmd.exe	83
PID 3080 wrote to memory of 3204	3080	cmd.exe	84
PID 3080 wrote to memory of 3204	3080	cmd.exe	84
PID 3080 wrote to memory of 3204	3080	cmd.exe	84
PID 3080 wrote to memory of 1612	3080	cmd.exe	85
PID 3080 wrote to memory of 1612	3080	cmd.exe	85
PID 3080 wrote to memory of 1612	3080	cmd.exe	85
PID 3204 wrote to memory of 1384	3204	WScript.exe	86
PID 3204 wrote to memory of 1384	3204	WScript.exe	86
PID 3204 wrote to memory of 1384	3204	WScript.exe	86
PID 1384 wrote to memory of 4024	1384	cmd.exe	88
PID 1384 wrote to memory of 4024	1384	cmd.exe	88
PID 1384 wrote to memory of 4024	1384	cmd.exe	88
PID 1384 wrote to memory of 4400	1384	cmd.exe	89
PID 1384 wrote to memory of 4400	1384	cmd.exe	89
PID 1384 wrote to memory of 4400	1384	cmd.exe	89
PID 1384 wrote to memory of 2392	1384	cmd.exe	91
PID 1384 wrote to memory of 2392	1384	cmd.exe	91
PID 1384 wrote to memory of 2392	1384	cmd.exe	91
PID 2392 wrote to memory of 1288	2392	mesager43.exe	93
PID 2392 wrote to memory of 1288	2392	mesager43.exe	93
PID 2392 wrote to memory of 1288	2392	mesager43.exe	93
PID 2392 wrote to memory of 4324	2392	mesager43.exe	94
PID 2392 wrote to memory of 4324	2392	mesager43.exe	94
PID 2392 wrote to memory of 4324	2392	mesager43.exe	94
PID 2392 wrote to memory of 4324	2392	mesager43.exe	94
PID 2392 wrote to memory of 4324	2392	mesager43.exe	94
PID 2392 wrote to memory of 4324	2392	mesager43.exe	94
PID 1384 wrote to memory of 4920	1384	cmd.exe	98
PID 1384 wrote to memory of 4920	1384	cmd.exe	98
PID 1384 wrote to memory of 4920	1384	cmd.exe	98
PID 1384 wrote to memory of 4264	1384	cmd.exe	99
PID 1384 wrote to memory of 4264	1384	cmd.exe	99
PID 1384 wrote to memory of 4264	1384	cmd.exe	99
PID 1384 wrote to memory of 232	1384	cmd.exe	101
PID 1384 wrote to memory of 232	1384	cmd.exe	101
PID 1384 wrote to memory of 232	1384	cmd.exe	101
PID 1384 wrote to memory of 216	1384	cmd.exe	102
PID 1384 wrote to memory of 216	1384	cmd.exe	102
PID 1384 wrote to memory of 216	1384	cmd.exe	102
PID 1288 wrote to memory of 2224	1288	svchost.exe	108
PID 1288 wrote to memory of 2224	1288	svchost.exe	108
PID 1288 wrote to memory of 2224	1288	svchost.exe	108
PID 1288 wrote to memory of 1336	1288	svchost.exe	109
PID 1288 wrote to memory of 1336	1288	svchost.exe	109
PID 1288 wrote to memory of 1336	1288	svchost.exe	109
PID 1288 wrote to memory of 3588	1288	svchost.exe	110
PID 1288 wrote to memory of 3588	1288	svchost.exe	110
PID 1288 wrote to memory of 3588	1288	svchost.exe	110
PID 1288 wrote to memory of 1636	1288	svchost.exe	111
PID 1288 wrote to memory of 1636	1288	svchost.exe	111
PID 1288 wrote to memory of 1636	1288	svchost.exe	111
PID 1288 wrote to memory of 4764	1288	svchost.exe	118

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4024	attrib.exe
232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
"C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\ssd\onset\15sp.exe
      "15sp.exe" e -psion0811 01s.rar
      4⤵
      Executes dropped EXE
      PID:4452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:4072
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ssd\"
        6⤵
        Views/modifies file attributes
        
        PID:4024
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:4400
      - C:\ssd\onset\mesager43.exe
        
        mesager43.exe /start
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        8⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        8⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        8⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        8⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:4324
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\ssd\onset\mesager43.exe"
        6⤵
        Views/modifies file attributes
        
        PID:232
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:216
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-130-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4324-151-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads