Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06/03/2022, 06:50
Static task
static1
Behavioral task
behavioral1
Sample
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
Resource
win10v2004-en-20220113
General
-
Target
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
-
Size
3.3MB
-
MD5
d18bf81dbc8acce488abd633d8058cf5
-
SHA1
1d6dcade355b4867e9435961655a9b9caa373528
-
SHA256
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
-
SHA512
10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
pid Process 4452 15sp.exe 2392 mesager43.exe 1288 svchost.exe 472 svchost.exe -
resource yara_rule behavioral2/files/0x000400000001e79e-137.dat upx behavioral2/files/0x000400000001e79e-138.dat upx behavioral2/files/0x000400000001e7ad-139.dat upx behavioral2/files/0x000400000001e7ad-140.dat upx behavioral2/files/0x000400000001e7ad-153.dat upx -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation mesager43.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run mesager43.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" mesager43.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\G: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected] svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.141-666-48E svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt svchost.exe File opened for modification C:\Program Files\7-Zip\descript.ion.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.141-666-48E svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.141-666-48E svchost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\README.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.141-666-48E svchost.exe File created C:\Program Files\Java\jdk1.8.0_66\include\win32\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.141-666-48E svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.141-666-48E svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.141-666-48E svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 4 IoCs
pid Process 4072 timeout.exe 1612 timeout.exe 4400 timeout.exe 216 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 4920 taskkill.exe 4264 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings cmd.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e mesager43.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 mesager43.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2392 mesager43.exe Token: SeDebugPrivilege 2392 mesager43.exe Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 4264 taskkill.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 3156 WMIC.exe Token: SeSystemProfilePrivilege 3156 WMIC.exe Token: SeSystemtimePrivilege 3156 WMIC.exe Token: SeProfSingleProcessPrivilege 3156 WMIC.exe Token: SeIncBasePriorityPrivilege 3156 WMIC.exe Token: SeCreatePagefilePrivilege 3156 WMIC.exe Token: SeBackupPrivilege 3156 WMIC.exe Token: SeRestorePrivilege 3156 WMIC.exe Token: SeShutdownPrivilege 3156 WMIC.exe Token: SeDebugPrivilege 3156 WMIC.exe Token: SeSystemEnvironmentPrivilege 3156 WMIC.exe Token: SeRemoteShutdownPrivilege 3156 WMIC.exe Token: SeUndockPrivilege 3156 WMIC.exe Token: SeManageVolumePrivilege 3156 WMIC.exe Token: 33 3156 WMIC.exe Token: 34 3156 WMIC.exe Token: 35 3156 WMIC.exe Token: 36 3156 WMIC.exe Token: SeIncreaseQuotaPrivilege 4156 WMIC.exe Token: SeSecurityPrivilege 4156 WMIC.exe Token: SeTakeOwnershipPrivilege 4156 WMIC.exe Token: SeLoadDriverPrivilege 4156 WMIC.exe Token: SeSystemProfilePrivilege 4156 WMIC.exe Token: SeSystemtimePrivilege 4156 WMIC.exe Token: SeProfSingleProcessPrivilege 4156 WMIC.exe Token: SeIncBasePriorityPrivilege 4156 WMIC.exe Token: SeCreatePagefilePrivilege 4156 WMIC.exe Token: SeBackupPrivilege 4156 WMIC.exe Token: SeRestorePrivilege 4156 WMIC.exe Token: SeShutdownPrivilege 4156 WMIC.exe Token: SeDebugPrivilege 4156 WMIC.exe Token: SeSystemEnvironmentPrivilege 4156 WMIC.exe Token: SeRemoteShutdownPrivilege 4156 WMIC.exe Token: SeUndockPrivilege 4156 WMIC.exe Token: SeManageVolumePrivilege 4156 WMIC.exe Token: 33 4156 WMIC.exe Token: 34 4156 WMIC.exe Token: 35 4156 WMIC.exe Token: 36 4156 WMIC.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 3156 WMIC.exe Token: SeSystemProfilePrivilege 3156 WMIC.exe Token: SeSystemtimePrivilege 3156 WMIC.exe Token: SeProfSingleProcessPrivilege 3156 WMIC.exe Token: SeIncBasePriorityPrivilege 3156 WMIC.exe Token: SeCreatePagefilePrivilege 3156 WMIC.exe Token: SeBackupPrivilege 3156 WMIC.exe Token: SeRestorePrivilege 3156 WMIC.exe Token: SeIncreaseQuotaPrivilege 4156 WMIC.exe Token: SeShutdownPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 4156 WMIC.exe Token: SeDebugPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 4156 WMIC.exe Token: SeSystemEnvironmentPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 4156 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2664 2032 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe 79 PID 2032 wrote to memory of 2664 2032 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe 79 PID 2032 wrote to memory of 2664 2032 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe 79 PID 2664 wrote to memory of 3080 2664 WScript.exe 80 PID 2664 wrote to memory of 3080 2664 WScript.exe 80 PID 2664 wrote to memory of 3080 2664 WScript.exe 80 PID 3080 wrote to memory of 4452 3080 cmd.exe 82 PID 3080 wrote to memory of 4452 3080 cmd.exe 82 PID 3080 wrote to memory of 4452 3080 cmd.exe 82 PID 3080 wrote to memory of 4072 3080 cmd.exe 83 PID 3080 wrote to memory of 4072 3080 cmd.exe 83 PID 3080 wrote to memory of 4072 3080 cmd.exe 83 PID 3080 wrote to memory of 3204 3080 cmd.exe 84 PID 3080 wrote to memory of 3204 3080 cmd.exe 84 PID 3080 wrote to memory of 3204 3080 cmd.exe 84 PID 3080 wrote to memory of 1612 3080 cmd.exe 85 PID 3080 wrote to memory of 1612 3080 cmd.exe 85 PID 3080 wrote to memory of 1612 3080 cmd.exe 85 PID 3204 wrote to memory of 1384 3204 WScript.exe 86 PID 3204 wrote to memory of 1384 3204 WScript.exe 86 PID 3204 wrote to memory of 1384 3204 WScript.exe 86 PID 1384 wrote to memory of 4024 1384 cmd.exe 88 PID 1384 wrote to memory of 4024 1384 cmd.exe 88 PID 1384 wrote to memory of 4024 1384 cmd.exe 88 PID 1384 wrote to memory of 4400 1384 cmd.exe 89 PID 1384 wrote to memory of 4400 1384 cmd.exe 89 PID 1384 wrote to memory of 4400 1384 cmd.exe 89 PID 1384 wrote to memory of 2392 1384 cmd.exe 91 PID 1384 wrote to memory of 2392 1384 cmd.exe 91 PID 1384 wrote to memory of 2392 1384 cmd.exe 91 PID 2392 wrote to memory of 1288 2392 mesager43.exe 93 PID 2392 wrote to memory of 1288 2392 mesager43.exe 93 PID 2392 wrote to memory of 1288 2392 mesager43.exe 93 PID 2392 wrote to memory of 4324 2392 mesager43.exe 94 PID 2392 wrote to memory of 4324 2392 mesager43.exe 94 PID 2392 wrote to memory of 4324 2392 mesager43.exe 94 PID 2392 wrote to memory of 4324 2392 mesager43.exe 94 PID 2392 wrote to memory of 4324 2392 mesager43.exe 94 PID 2392 wrote to memory of 4324 2392 mesager43.exe 94 PID 1384 wrote to memory of 4920 1384 cmd.exe 98 PID 1384 wrote to memory of 4920 1384 cmd.exe 98 PID 1384 wrote to memory of 4920 1384 cmd.exe 98 PID 1384 wrote to memory of 4264 1384 cmd.exe 99 PID 1384 wrote to memory of 4264 1384 cmd.exe 99 PID 1384 wrote to memory of 4264 1384 cmd.exe 99 PID 1384 wrote to memory of 232 1384 cmd.exe 101 PID 1384 wrote to memory of 232 1384 cmd.exe 101 PID 1384 wrote to memory of 232 1384 cmd.exe 101 PID 1384 wrote to memory of 216 1384 cmd.exe 102 PID 1384 wrote to memory of 216 1384 cmd.exe 102 PID 1384 wrote to memory of 216 1384 cmd.exe 102 PID 1288 wrote to memory of 2224 1288 svchost.exe 108 PID 1288 wrote to memory of 2224 1288 svchost.exe 108 PID 1288 wrote to memory of 2224 1288 svchost.exe 108 PID 1288 wrote to memory of 1336 1288 svchost.exe 109 PID 1288 wrote to memory of 1336 1288 svchost.exe 109 PID 1288 wrote to memory of 1336 1288 svchost.exe 109 PID 1288 wrote to memory of 3588 1288 svchost.exe 110 PID 1288 wrote to memory of 3588 1288 svchost.exe 110 PID 1288 wrote to memory of 3588 1288 svchost.exe 110 PID 1288 wrote to memory of 1636 1288 svchost.exe 111 PID 1288 wrote to memory of 1636 1288 svchost.exe 111 PID 1288 wrote to memory of 1636 1288 svchost.exe 111 PID 1288 wrote to memory of 4764 1288 svchost.exe 118 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4024 attrib.exe 232 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe"C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\ssd\onset\15sp.exe"15sp.exe" e -psion0811 01s.rar4⤵
- Executes dropped EXE
PID:4452
-
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
PID:4072
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\ssd\"6⤵
- Views/modifies file attributes
PID:4024
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:4400
-
-
C:\ssd\onset\mesager43.exemesager43.exe /start6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete8⤵PID:2224
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no8⤵PID:1336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures8⤵PID:3588
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet8⤵PID:1636
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 08⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:472
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat8⤵PID:460
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet8⤵PID:4764
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe7⤵PID:4324
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 15sp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 15sp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\ssd\onset\mesager43.exe"6⤵
- Views/modifies file attributes
PID:232
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:216
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
PID:1612
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2004