buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
274s
max time network
175s
platform
windows10_x64
resource
win10-20220414-en
submitted
08/07/2022, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 14D-74B-482 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
2208	15sp.exe
3788	mesager43.exe
2180	csrss.exe
1088	csrss.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3572	attrib.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001abbc-510.dat	upx
behavioral2/files/0x000700000001abbc-518.dat	upx
behavioral2/memory/3788-551-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/files/0x000800000001abbd-585.dat	upx
behavioral2/files/0x000800000001abbd-593.dat	upx
behavioral2/memory/2180-645-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/memory/3788-680-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/memory/2180-826-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/files/0x000800000001abbd-855.dat	upx
behavioral2/memory/1088-876-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/memory/1088-1080-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/memory/1088-1081-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral2/memory/2180-1140-0x0000000000400000-0x000000000055C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerLightData.fx	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gb_16x11.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_1.jpg	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\round18-05.wts	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-150.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\mail.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\CardsLoadingSpritesheet.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\12d.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo2.targetsize-54.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4608_24x24x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WideTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\default.jfc	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\heart.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nl_60x42.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons2x.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INF	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-300.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.14D-74B-482	csrss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\fr-FR.PhoneNumber.model	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.14D-74B-482	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\md_16x11.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36_altform-unplated.png	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3868	timeout.exe
3844	timeout.exe
3604	timeout.exe
2700	timeout.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1812	vssadmin.exe
2820	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2220	taskkill.exe
3376	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	mesager43.exe
Token: SeDebugPrivilege	3788	mesager43.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1388	WMIC.exe
Token: SeSecurityPrivilege	1388	WMIC.exe
Token: SeTakeOwnershipPrivilege	1388	WMIC.exe
Token: SeLoadDriverPrivilege	1388	WMIC.exe
Token: SeSystemProfilePrivilege	1388	WMIC.exe
Token: SeSystemtimePrivilege	1388	WMIC.exe
Token: SeProfSingleProcessPrivilege	1388	WMIC.exe
Token: SeIncBasePriorityPrivilege	1388	WMIC.exe
Token: SeCreatePagefilePrivilege	1388	WMIC.exe
Token: SeBackupPrivilege	1388	WMIC.exe
Token: SeRestorePrivilege	1388	WMIC.exe
Token: SeShutdownPrivilege	1388	WMIC.exe
Token: SeDebugPrivilege	1388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1388	WMIC.exe
Token: SeRemoteShutdownPrivilege	1388	WMIC.exe
Token: SeUndockPrivilege	1388	WMIC.exe
Token: SeManageVolumePrivilege	1388	WMIC.exe
Token: 33	1388	WMIC.exe
Token: 34	1388	WMIC.exe
Token: 35	1388	WMIC.exe
Token: 36	1388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeBackupPrivilege	1124	vssvc.exe
Token: SeRestorePrivilege	1124	vssvc.exe
Token: SeAuditPrivilege	1124	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 424	2264	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	66
PID 2264 wrote to memory of 424	2264	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	66
PID 2264 wrote to memory of 424	2264	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	66
PID 424 wrote to memory of 3324	424	WScript.exe	67
PID 424 wrote to memory of 3324	424	WScript.exe	67
PID 424 wrote to memory of 3324	424	WScript.exe	67
PID 3324 wrote to memory of 2208	3324	cmd.exe	69
PID 3324 wrote to memory of 2208	3324	cmd.exe	69
PID 3324 wrote to memory of 2208	3324	cmd.exe	69
PID 3324 wrote to memory of 3868	3324	cmd.exe	70
PID 3324 wrote to memory of 3868	3324	cmd.exe	70
PID 3324 wrote to memory of 3868	3324	cmd.exe	70
PID 3324 wrote to memory of 3972	3324	cmd.exe	71
PID 3324 wrote to memory of 3972	3324	cmd.exe	71
PID 3324 wrote to memory of 3972	3324	cmd.exe	71
PID 3324 wrote to memory of 3844	3324	cmd.exe	72
PID 3324 wrote to memory of 3844	3324	cmd.exe	72
PID 3324 wrote to memory of 3844	3324	cmd.exe	72
PID 3972 wrote to memory of 2640	3972	WScript.exe	73
PID 3972 wrote to memory of 2640	3972	WScript.exe	73
PID 3972 wrote to memory of 2640	3972	WScript.exe	73
PID 2640 wrote to memory of 3572	2640	cmd.exe	75
PID 2640 wrote to memory of 3572	2640	cmd.exe	75
PID 2640 wrote to memory of 3572	2640	cmd.exe	75
PID 2640 wrote to memory of 3604	2640	cmd.exe	76
PID 2640 wrote to memory of 3604	2640	cmd.exe	76
PID 2640 wrote to memory of 3604	2640	cmd.exe	76
PID 2640 wrote to memory of 3788	2640	cmd.exe	77
PID 2640 wrote to memory of 3788	2640	cmd.exe	77
PID 2640 wrote to memory of 3788	2640	cmd.exe	77
PID 3788 wrote to memory of 2180	3788	mesager43.exe	78
PID 3788 wrote to memory of 2180	3788	mesager43.exe	78
PID 3788 wrote to memory of 2180	3788	mesager43.exe	78
PID 3788 wrote to memory of 400	3788	mesager43.exe	79
PID 3788 wrote to memory of 400	3788	mesager43.exe	79
PID 3788 wrote to memory of 400	3788	mesager43.exe	79
PID 3788 wrote to memory of 400	3788	mesager43.exe	79
PID 3788 wrote to memory of 400	3788	mesager43.exe	79
PID 3788 wrote to memory of 400	3788	mesager43.exe	79
PID 2640 wrote to memory of 2220	2640	cmd.exe	80
PID 2640 wrote to memory of 2220	2640	cmd.exe	80
PID 2640 wrote to memory of 2220	2640	cmd.exe	80
PID 2640 wrote to memory of 3376	2640	cmd.exe	82
PID 2640 wrote to memory of 3376	2640	cmd.exe	82
PID 2640 wrote to memory of 3376	2640	cmd.exe	82
PID 2640 wrote to memory of 3336	2640	cmd.exe	83
PID 2640 wrote to memory of 3336	2640	cmd.exe	83
PID 2640 wrote to memory of 3336	2640	cmd.exe	83
PID 2640 wrote to memory of 2700	2640	cmd.exe	84
PID 2640 wrote to memory of 2700	2640	cmd.exe	84
PID 2640 wrote to memory of 2700	2640	cmd.exe	84
PID 2180 wrote to memory of 3864	2180	csrss.exe	85
PID 2180 wrote to memory of 3864	2180	csrss.exe	85
PID 2180 wrote to memory of 3864	2180	csrss.exe	85
PID 2180 wrote to memory of 2068	2180	csrss.exe	86
PID 2180 wrote to memory of 2068	2180	csrss.exe	86
PID 2180 wrote to memory of 2068	2180	csrss.exe	86
PID 2180 wrote to memory of 3924	2180	csrss.exe	87
PID 2180 wrote to memory of 3924	2180	csrss.exe	87
PID 2180 wrote to memory of 3924	2180	csrss.exe	87
PID 2180 wrote to memory of 3928	2180	csrss.exe	88
PID 2180 wrote to memory of 3928	2180	csrss.exe	88
PID 2180 wrote to memory of 3928	2180	csrss.exe	88
PID 2180 wrote to memory of 1836	2180	csrss.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3572	attrib.exe
3336	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe
"C:\Users\Admin\AppData\Local\Temp\4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\ssd\onset\15sp.exe
      "15sp.exe" e -psion0811 01s.rar
      4⤵
      Executes dropped EXE
      PID:2208
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:3868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ssd\"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3572
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:3604
      - C:\ssd\onset\mesager43.exe
        
        mesager43.exe /start
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        8⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        8⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        8⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        8⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        9⤵
        Interacts with shadow copies
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        9⤵
        Interacts with shadow copies
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:400
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\ssd\onset\mesager43.exe"
        6⤵
        Views/modifies file attributes
        
        PID:3336
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:2700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:3844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
97d4eb06a21b13dca95f364192cbc613

SHA1
5357c95b3663855ba8efb334088cec21b6360b72

SHA256
9bd13f38edc76bf18d9c3237acc45d636df270bf645563092cc5f40595fe18e8

SHA512
43915e89f4e484281f4f6d07ba3dd70fb2ce2fb67edc688ca0e6cee9eea009704c49b684c606587dc229633cf48d6107a904a134554c1e510fa5fca0340bf8d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
413381f33d96c33f2e18560b44db9d7a

SHA1
8a31c09ccc2c7699fc1c7cff9700f3525bcc35ee

SHA256
e8aefc6f7be286fbbed7a15ceed86638820d0e27fb87393e24567c98360ed64b

SHA512
842f0a3259978f44f83eb125177990d2c8e5a15396bf4ba2237985b10387189d00277cc29fe35a08d90e0ab067567388741c17f6717eae88d0f5dca826475c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
edc7462655e639289e72bac7927c5fc4

SHA1
6d257306c79b1ed31d2e99dfcd4fe8410560b280

SHA256
2d248d2f1e355a14dfb265503783f783a1b05b32010ba4edc6985d579b4bfb65

SHA512
59bec750e075e650b704f1b668d04c85ddca119b6d036d48d3912cb8c4c77961e06ee91df279be12a8d238e920dfb9142cdec0a64ce4618dec230fb30db72d25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
7976ce0444a3d8bc4b134446124c600d

SHA1
37f79de2cd18d61d364be608f6b46662fefe7da8

SHA256
0a58d6916aae90754c68ac96a39d03339de7321862f37550aa5c8dfdc6bad219

SHA512
0a21d3b0528a6fd8db8ce35d24534a2ef02bb81bae086c959cd42839eab4a3c16c2e64214463679c4b9de70677969a0225defbf216862ff0aaad112ca6bff785

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
208f3e1342604e86a56808dc528701a6

SHA1
dd873ee6f47e54124537aea0e80d1ef06e08ae13

SHA256
3dab3502e2fd8ecd0ea78a18710a9fa5b167e672957ff3ee74417a8f613776fc

SHA512
7188eee8f43e67eaa95638ffe874d09cbe1e013588687081788dd24aee01d09b153191bde50c593e368bef89eb4344754048bf1879a3a4747bdb1830fef23dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
29113006340b98e5106c4af0d816ffe7

SHA1
5616f95a95ee75e4924e8f9cdded5c14387994cd

SHA256
28dc2b669571ee818f511685191e49d172672df1a7a39acd906e8f9d1c30f91e

SHA512
ee91a76f154bb09fc66728626730941194387f803c7ad27b1fa36a79c59525b606b4869abca846483141133bd13f6fb355771058839df979655376d33f30e4de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1KDKFUZJ\06YY6FSO.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AMCYSS33\K1GAPXP9.htm

Filesize
18KB

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\Desktop\CompleteInitialize.3g2.14D-74B-482

Filesize
443KB

MD5
e872f1a65ffe8e068525dc7e37e7a406

SHA1
4a97be2ac5e187ffa69cc3cfee292c6143bbdab1

SHA256
09df2a0f330ae84b37b56868fce6115b79db1abe4c9ca6210b6987709c5e9173

SHA512
fb18e4d348ff28e2b992b94b63ce346c3b1999b75780bc45bec9e155be8ff8bb5386b54dfed3c785318ba7323784fde37353d0176bf06b3f8255091237579ba3

Download Submit
C:\Users\Admin\Desktop\EnterProtect.search-ms.14D-74B-482

Filesize
1.1MB

MD5
bdc6005dab8e2f68c160b47d027db499

SHA1
5a50fdd52ca4f2e595097478f2b4f84a0074f20f

SHA256
744be547c97f29039c41a7f7f62d3df1fa98e14e0af0cdd6a6e87a72515c882a

SHA512
2e52c06976bcde6a4afd254ff622f4604f7bff3a00be53e59fe3b7a847438aa86431a621988bb57d0a306b18f335173880fcb3c18f2aea5184aea68c72511373

Download Submit
C:\Users\Admin\Desktop\ExportResize.php.14D-74B-482

Filesize
1.2MB

MD5
2a51304094bdd8e958a91e5e764e74d2

SHA1
f9de3582a27105cd8f259ac0008c7fb174019d26

SHA256
e7dc547d4a58f3f0224ab315e91f6e15afc31b2a595c0d4593729d2c04fbcc4b

SHA512
1746c2fd8fd3811e6ccefb12b5e49ffdf85c525f8e18ef2c1a7be96dfefba1460ee14d3e90fb4fa29363091e7584d6767260255db2c5ceb6a38447c7257e3ce9

Download Submit
C:\Users\Admin\Desktop\ExportSubmit.mp3.14D-74B-482

Filesize
845KB

MD5
2dbdcc8bacb609359f4f09c5f842b7f9

SHA1
44200702814b26188508bce1b2a331b39b72fe48

SHA256
b92428b902863137f3656519ac2f8cc7f0fcd24bee18794f044dcf75f5c96999

SHA512
ca439eaf3320333d8a07ec6184dc6bdab5746b5c5aa2f89dff14fcb39e1e4e3b8c288cb6ce66ff15e7671433f1badd9167f92f36611c7bd052296725f311be6c

Download Submit
C:\Users\Admin\Desktop\HideImport.mpeg.14D-74B-482

Filesize
1.1MB

MD5
b4c81d3df7f4324dd2ff836c543c643c

SHA1
43fe241ade5b37b2a4e9e9a41e9b3659d01ba47b

SHA256
b608d3ab780d017372fbc2d28833d7b5859831f61f9897c2d9b526d40d1bd27e

SHA512
4ba0e99eb133649cece2af2d416b2517ce6e43067ece7d733d3c157065cabe58bf4e2cb6849227b35c2f05cc6bdf36e1664a357efd0aedcba99d93dac6b0493d

Download Submit
C:\Users\Admin\Desktop\HideOptimize.snd.14D-74B-482

Filesize
1.1MB

MD5
a1f6ae75e444ea452b3c9a1efea8cb6a

SHA1
33b4225de1d2b3199bf1c2b6c8fe2a45a7630b2f

SHA256
a31c23d74e7af0aca589826a5bd794d7e4166997261ce118f0fd3a4f27763acf

SHA512
e974d78cce3fa9ad02ebcf7497d6d85eb951b35e98fa92578815a37113484efae757d711839f6b9c47dceab10632c808311572af6a4fc7f00161c53b5d03e011

Download Submit
C:\Users\Admin\Desktop\ImportApprove.midi.14D-74B-482

Filesize
966KB

MD5
794cfd0fb133b3549b069541507fad17

SHA1
46a5b2ce4bac5d4d4a4d01a49aca4a2d15d01775

SHA256
0b9f0e6c8b6df4ef441bc945511ce0c736426ac62214dd456929950f2b906dd8

SHA512
0690557e431bc9fae55e3b310d56cade87f08e4c486506bcc48a33ef9564a1f49a73da3eb5b6c6e72ecdfdb2cbed9de19b5e93f89ba21cfde7d6ddbddad569d4

Download Submit
C:\Users\Admin\Desktop\OpenSelect.avi.14D-74B-482

Filesize
524KB

MD5
4c38a48680f560c440eda0eb1146b3a2

SHA1
b3594e4e80ccf8af4d4541a1675974902cf632b6

SHA256
237c1ca10cd8d0743dd188d73d031146e51e94191c5a26eb4843bcd9f2d1bf0f

SHA512
38901dbab31cded90831e2cd99a98b3e9fb249e3aa0f6b3a88f04da62c8f6ba1856eed70cdd3dc528c42f781a8126981e1b536837eb535a5f2678c9a78fe91f0

Download Submit
C:\Users\Admin\Desktop\PublishConvertTo.3g2.14D-74B-482

Filesize
1006KB

MD5
237f357bcf572bbb07aa7863f0c0051f

SHA1
34f4bdb25f607f69894634cf34c156e50e292e21

SHA256
6f839e1b0b6ba561ba90057fa6a131b254d1bdd4a09f285a93bd1e4bec9a11bd

SHA512
98de2089631b4de5e47b5f3e83b1e841d55881841c3d9906d8308d6118b7ea453896c90df22adbf4efb6b6d1d252efb242c3b0b4d719f04c80fe5f690447e168

Download Submit
C:\Users\Admin\Desktop\RedoConnect.xps.14D-74B-482

Filesize
684KB

MD5
d4d6e8d1f1c0ee91725d3f3639dea6d7

SHA1
72ebbccd52f722107676726aef5becf2541f85d6

SHA256
eac08b34ab937abafd430941210e2f567c3c374720d93721c72c4e9a937dfbe5

SHA512
1fe43701f0525a40ffce470cc2b80c3122b48ab5c48781b248b32648e65096df837f5f946248a7ddeb068c92bd7b1538e4b171dcb5df016bc8d52850852e2003

Download Submit
C:\Users\Admin\Desktop\RegisterCompress.cab.14D-74B-482

Filesize
885KB

MD5
b950e730530f5f805f8366ad62b6d9e4

SHA1
a2e8ba33e36192f773628768fdaab04b8be6b3d7

SHA256
90fdf1082620d680ad337b8a2101de283cf53db7540041877df351bf98f2345b

SHA512
683751fa9e0afbe98b5b4a41e3c75698778f78822adbb434518d731d1a4f564830e4edc64ee952ccbc602b580972ee8c64326e006c79c8aa37a61ddd08d82954

Download Submit
C:\Users\Admin\Desktop\ResetInitialize.mp3.14D-74B-482

Filesize
765KB

MD5
6e3e803f987510b7a99630176310dd8b

SHA1
f5fc27856729557312a7f43ab3c5700e53687e2c

SHA256
4fe33eaa70bc6c72a04e99ec89226708cfb974e6adf6883f8eec19544d627415

SHA512
0c9ed47f2af88611e3ccd6db90aa2394406a1a001cfe08d4bbfaae60830ba6f64be31a273506afa79fd772a64a3e190a0efbcf3745b310723e9b0d05218c8ef2

Download Submit
C:\Users\Admin\Desktop\ResolveSet.ods.14D-74B-482

Filesize
1.2MB

MD5
85ed54ef9ed1d2244b693bd8bc9b524b

SHA1
98fd3d8fa2e1b20037dd28235303b8971cf20c16

SHA256
cf0bfa41fb0f6adae3b16b67cf7265c4f194183bd374bc019b9347ca1902c56b

SHA512
da3fb2dee93102ea3e161fa6ca432dc3025e9069ce7413f983b750be10dff10d3d5f78e5cc2f0eb7750aa0770284bd1526ee9cf24fa82874cc19a0a9f74d683d

Download Submit
C:\Users\Admin\Desktop\RevokeExpand.clr.14D-74B-482

Filesize
1.0MB

MD5
9a7f36de8c391e2640d8bcc3d33956e9

SHA1
39c8e4dee962c2d7aa3cb2db446929fab918528f

SHA256
9d377a4820ec053f5ec6963579d3acccaa74def1791bf509dc44a8c77a52188d

SHA512
0b925d78a90c2921292bdbbcfc13d5998bee973e84db41fd59466db0b3567a1c4af5ff6dffac45b1556e9422808f5d6a8ac11e335d01bbe9617b0ed3e4d3587f

Download Submit
C:\Users\Admin\Desktop\SetRevoke.ADTS.14D-74B-482

Filesize
805KB

MD5
3377e5e6461608a81cbf976db62ac01a

SHA1
56efa60745a4fc5a6a629dacde289e5d3f9e7655

SHA256
61d776edabeec0c25f648009b08842286d6edc75d2d2e441272e4c24ba5556b3

SHA512
90b6e324e15554f78018e97bdb51a42f84efc52f328134b58412f25283f91a45206e03f50c2d31477e0f96f8ca606f738102fb470f53f4a1456c4e3cba60d660

Download Submit
C:\Users\Admin\Desktop\StartSearch.aiff.14D-74B-482

Filesize
725KB

MD5
fc0ac957054d35e7e87b56cb227cbb09

SHA1
6ca93deb0eac53995b074ce34693e68103600bad

SHA256
871b9d81c66b29463447d5d2f40c5f6bd1846b396d7eca4189ac8a296e3b3e90

SHA512
388ce8ce35830ac09c280efc1f568354400b7572bd7eda8e524ee6ca49c735b05b0b1fc9e6349ed1da234e33fc51aa96f81bf894c714213124060439fe3acf09

Download Submit
C:\Users\Admin\Desktop\TestPop.dwg.14D-74B-482

Filesize
604KB

MD5
d43bb115857dbbefa5991f01f15950d8

SHA1
e139f9170b6277e2ff537a7ae9150afbdc2e7a43

SHA256
8af7809c63042b488d417da6cd72acd9d970cd35af10164d43725552522264c3

SHA512
a25c28dc5afd3d8a6d18e0bbe637b7bc99dca067b45d4ceaf89cd355f2fb6194efbb5bf62b065f4df5aad1951371bfd71a3da4cad5c083bb2e4d85b30b621e22

Download Submit
C:\Users\Admin\Desktop\UndoClear.shtml.14D-74B-482

Filesize
564KB

MD5
143749b201ab488a87ecf7bc4210736c

SHA1
777348973ea195258c1f199ed4a308b4cf9420e6

SHA256
1f4c1c4f580f1dd8e449231fd29a0cc90416db56c844e3920fe6eb11b7b8e94c

SHA512
9d768a4f8da232e3ea1bc3bd352e1f2d1e43d8f4269680ba29a5c5f0e445f7da9d3b73a278539140f9b945847ee45a369a015c024d439e957b446504947d3067

Download Submit
C:\Users\Admin\Desktop\UnprotectRestart.wps.14D-74B-482

Filesize
644KB

MD5
f2cb3fba57eacba97b34f05c0da14de8

SHA1
7e65eee7b2ef5e4ccb4692e3adc2e447716f948e

SHA256
d190656cdce59a86227d13ef129b357350d7e131cb5c9370328aaf75bfddb70d

SHA512
63eecb6c31e04f2df87dd36ace0dfac62b541a3423e6f1ab1e0c4a699a4c854733a18726c3074547054c369d5cbe7364d24f46a94ca2081cb00ee66bb2a1c4f6

Download Submit
C:\Users\Admin\Desktop\UnpublishRedo.vb.14D-74B-482

Filesize
1.7MB

MD5
7e1c2821ec8f6d1101882bdfac58f022

SHA1
42f0978fbe11f74f7f006c0236ead5028f1c6fc9

SHA256
c2ddb405d49cb660d60f97172a67a2a767581200c28df830d222448bcfa89bb7

SHA512
667da326802e4ed1c6e066a95e8f8c86195f3c1eb7762eb30c23272f42e707219d00141d35ddf139d3c400cb2a55fe93a97907cd1c305bd5512b97e88d57fa02

Download Submit
C:\Users\Admin\Desktop\UnpublishRename.rm.14D-74B-482

Filesize
926KB

MD5
8c4d99dbecaacf03ced28b37779b3509

SHA1
db04e435c7d17bc905c50ca916f75fd210210e11

SHA256
24e996027b33896325c7c9dd5ca9797571884896de5bd4636ae54cffb34863df

SHA512
c312f126f6cfbd7813b914ad987a5331abf650c27280322461d3f7536459edf1dd44fd00c8c7f241e8ab02ba0dfe9c2492142686bf1a13e9086b6d072acda539

Download Submit
C:\ssd\onset\15sp.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\15sp.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\58nfs.ini

Filesize
111KB

MD5
42f9b29cb18cec22cf1f68375685ddc2

SHA1
54de5fd042aa740be90f85d7887d41ebc0e00b4b

SHA256
7aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007

SHA512
f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c

Download Submit
C:\ssd\onset\81ldp.bat

Filesize
180B

MD5
a5464805722aa29200eb97cb26605135

SHA1
80b2c57e6475325a89eaaba24db02685830018ea

SHA256
03130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a

SHA512
d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae

Download Submit
C:\ssd\onset\Ztestram.vbs

Filesize
95B

MD5
b835e273fb843348db5f05d2ed0958e8

SHA1
8a5feab98df1ef7a898863e941e8bb07d007b9c1

SHA256
066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94

SHA512
5438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e

Download Submit
C:\ssd\onset\goodram.vbs

Filesize
96B

MD5
1ed7cb327b190a41ed8aee89c9be87d1

SHA1
6bd8634e530a6911501f1ab1c23fa4282d3a9e4f

SHA256
c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663

SHA512
a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c

Download Submit
C:\ssd\onset\mesager43.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\mesager43.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\sata1.bat

Filesize
669B

MD5
03560667f8a4144f8d45f917fd522a95

SHA1
df8ec645f2cbecb9388c87a63674b508a791433e

SHA256
41e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1

SHA512
215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4

Download Submit
memory/424-179-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/424-180-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/424-178-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/424-181-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/424-177-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/1088-876-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1088-1080-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1088-1081-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2180-1140-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2180-645-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2180-826-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2264-150-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-174-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-172-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-171-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-118-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-170-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-117-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-168-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-119-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-169-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-120-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-121-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-167-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-122-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-123-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-124-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-125-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-166-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-165-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-126-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-164-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-162-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-163-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-161-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-160-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-159-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-158-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-127-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-175-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-157-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-156-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-155-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-154-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-153-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-152-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-128-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-129-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-130-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-173-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-151-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-133-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-149-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-148-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-131-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-132-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-134-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-147-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-146-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-145-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-144-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-143-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-142-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-135-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-136-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-141-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-140-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-139-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-137-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-138-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-680-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/3788-551-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads