Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03/05/2022, 14:59
Static task
static1
Behavioral task
behavioral1
Sample
ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe
Resource
win10v2004-20220414-en
General
-
Target
ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe
-
Size
121KB
-
MD5
2a1eba690d97ef43558414530e7d2dac
-
SHA1
48b6a01525f745c863d8302339340528a9f44775
-
SHA256
ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea
-
SHA512
29b663f495a051ed614375caeeb3b8284df620f6460f451a72af68d35413326a31243300aef8854a60531ab7c8c240d74fb2cd0e32928c0f0bbef0e2b9447280
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4496 created 1336 4496 svchost.exe 84 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 2332 wbadmin.exe -
Loads dropped DLL 2 IoCs
pid Process 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe\"" ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1912 set thread context of 1336 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 84 PID 1880 set thread context of 2736 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 110 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File created C:\Program Files\7-Zip\Lang\readme-warning.txt ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-nodes.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\readme-warning.txt ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-util-enumerations.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-modules.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.bat ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File created C:\Program Files\Internet Explorer\SIGNUP\readme-warning.txt ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3996 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1336 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 1336 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTcbPrivilege 4496 svchost.exe Token: SeTcbPrivilege 4496 svchost.exe Token: SeBackupPrivilege 3836 vssvc.exe Token: SeRestorePrivilege 3836 vssvc.exe Token: SeAuditPrivilege 3836 vssvc.exe Token: SeBackupPrivilege 4176 wbengine.exe Token: SeRestorePrivilege 4176 wbengine.exe Token: SeSecurityPrivilege 4176 wbengine.exe Token: SeIncreaseQuotaPrivilege 2364 WMIC.exe Token: SeSecurityPrivilege 2364 WMIC.exe Token: SeTakeOwnershipPrivilege 2364 WMIC.exe Token: SeLoadDriverPrivilege 2364 WMIC.exe Token: SeSystemProfilePrivilege 2364 WMIC.exe Token: SeSystemtimePrivilege 2364 WMIC.exe Token: SeProfSingleProcessPrivilege 2364 WMIC.exe Token: SeIncBasePriorityPrivilege 2364 WMIC.exe Token: SeCreatePagefilePrivilege 2364 WMIC.exe Token: SeBackupPrivilege 2364 WMIC.exe Token: SeRestorePrivilege 2364 WMIC.exe Token: SeShutdownPrivilege 2364 WMIC.exe Token: SeDebugPrivilege 2364 WMIC.exe Token: SeSystemEnvironmentPrivilege 2364 WMIC.exe Token: SeRemoteShutdownPrivilege 2364 WMIC.exe Token: SeUndockPrivilege 2364 WMIC.exe Token: SeManageVolumePrivilege 2364 WMIC.exe Token: 33 2364 WMIC.exe Token: 34 2364 WMIC.exe Token: 35 2364 WMIC.exe Token: 36 2364 WMIC.exe Token: SeIncreaseQuotaPrivilege 2364 WMIC.exe Token: SeSecurityPrivilege 2364 WMIC.exe Token: SeTakeOwnershipPrivilege 2364 WMIC.exe Token: SeLoadDriverPrivilege 2364 WMIC.exe Token: SeSystemProfilePrivilege 2364 WMIC.exe Token: SeSystemtimePrivilege 2364 WMIC.exe Token: SeProfSingleProcessPrivilege 2364 WMIC.exe Token: SeIncBasePriorityPrivilege 2364 WMIC.exe Token: SeCreatePagefilePrivilege 2364 WMIC.exe Token: SeBackupPrivilege 2364 WMIC.exe Token: SeRestorePrivilege 2364 WMIC.exe Token: SeShutdownPrivilege 2364 WMIC.exe Token: SeDebugPrivilege 2364 WMIC.exe Token: SeSystemEnvironmentPrivilege 2364 WMIC.exe Token: SeRemoteShutdownPrivilege 2364 WMIC.exe Token: SeUndockPrivilege 2364 WMIC.exe Token: SeManageVolumePrivilege 2364 WMIC.exe Token: 33 2364 WMIC.exe Token: 34 2364 WMIC.exe Token: 35 2364 WMIC.exe Token: 36 2364 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1912 wrote to memory of 1336 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 84 PID 1912 wrote to memory of 1336 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 84 PID 1912 wrote to memory of 1336 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 84 PID 1912 wrote to memory of 1336 1912 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 84 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 4496 wrote to memory of 1880 4496 svchost.exe 87 PID 1336 wrote to memory of 4064 1336 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 88 PID 1336 wrote to memory of 4064 1336 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 88 PID 4064 wrote to memory of 3996 4064 cmd.exe 90 PID 4064 wrote to memory of 3996 4064 cmd.exe 90 PID 4064 wrote to memory of 2332 4064 cmd.exe 97 PID 4064 wrote to memory of 2332 4064 cmd.exe 97 PID 4064 wrote to memory of 2364 4064 cmd.exe 105 PID 4064 wrote to memory of 2364 4064 cmd.exe 105 PID 1880 wrote to memory of 2736 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 110 PID 1880 wrote to memory of 2736 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 110 PID 1880 wrote to memory of 2736 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 110 PID 1880 wrote to memory of 2736 1880 ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe"C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe"C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe"C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe" n13363⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe"C:\Users\Admin\AppData\Local\Temp\ebdc5309aeef56b4bb2ffc14ac4fd618ffaae294e633099532a20992908ab4ea.exe" n13364⤵PID:2736
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3996
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2332
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4656
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
63KB
MD50da2cefb3f8aa7d6c28e8b9d408c1dbf
SHA13c1fc52c9ba09a50dfff86584860e1d11a12631b
SHA2567d7f829c85d22b9976bdf83fdd12fab10a8fcb71757907f52e4b36df1882600c
SHA512946883261b6be19070da9b0de21a8b11d1f1d01d54a09b09589dae9521f508a4a1723aa91936451ed47f209b29f82bc53ca646dfe77ab2795166e63f1a07c00e