buran | 97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Size

624KB
MD5

e2c9e21bc2d59273ad13144b10e082f8
SHA1

0fd4b5d955122d84552626d2634c62c78e800b7c
SHA256

97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433
SHA512

393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Score

10^/10

buran evasion persistence ransomware suricata

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an [email protected] oder [email protected] und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an [email protected] [email protected] (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] (reserve) Your personal ID: 1B66E625-D369-D1F2-8A29-1BDFEEB54369 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
suricata: ET MALWARE Buran Ransomware Activity M1
suricata: ET MALWARE Buran Ransomware Activity M1
suricata
suricata: ET MALWARE Observed Buran Ransomware UA (BURAN)
suricata: ET MALWARE Observed Buran Ransomware UA (BURAN)
suricata

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
2492	wevtutil.exe
2344	wevtutil.exe
3976	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 3 IoCs

pid	Process
3140	lsass.exe
3840	lsass.exe
2436	lsass.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Subsystem Service = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\psfontj2d.properties	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-awt.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.[1B66E625-D369-D1F2-8A29-1BDFEEB54369]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	lsass.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
500	PING.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	lsass.exe
Token: SeIncreaseQuotaPrivilege	3080	WMIC.exe
Token: SeSecurityPrivilege	3080	WMIC.exe
Token: SeTakeOwnershipPrivilege	3080	WMIC.exe
Token: SeLoadDriverPrivilege	3080	WMIC.exe
Token: SeSystemProfilePrivilege	3080	WMIC.exe
Token: SeSystemtimePrivilege	3080	WMIC.exe
Token: SeProfSingleProcessPrivilege	3080	WMIC.exe
Token: SeIncBasePriorityPrivilege	3080	WMIC.exe
Token: SeCreatePagefilePrivilege	3080	WMIC.exe
Token: SeBackupPrivilege	3080	WMIC.exe
Token: SeRestorePrivilege	3080	WMIC.exe
Token: SeShutdownPrivilege	3080	WMIC.exe
Token: SeDebugPrivilege	3080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3080	WMIC.exe
Token: SeRemoteShutdownPrivilege	3080	WMIC.exe
Token: SeUndockPrivilege	3080	WMIC.exe
Token: SeManageVolumePrivilege	3080	WMIC.exe
Token: 33	3080	WMIC.exe
Token: 34	3080	WMIC.exe
Token: 35	3080	WMIC.exe
Token: 36	3080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3080	WMIC.exe
Token: SeSecurityPrivilege	3080	WMIC.exe
Token: SeTakeOwnershipPrivilege	3080	WMIC.exe
Token: SeLoadDriverPrivilege	3080	WMIC.exe
Token: SeSystemProfilePrivilege	3080	WMIC.exe
Token: SeSystemtimePrivilege	3080	WMIC.exe
Token: SeProfSingleProcessPrivilege	3080	WMIC.exe
Token: SeIncBasePriorityPrivilege	3080	WMIC.exe
Token: SeCreatePagefilePrivilege	3080	WMIC.exe
Token: SeBackupPrivilege	3080	WMIC.exe
Token: SeRestorePrivilege	3080	WMIC.exe
Token: SeShutdownPrivilege	3080	WMIC.exe
Token: SeDebugPrivilege	3080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3080	WMIC.exe
Token: SeRemoteShutdownPrivilege	3080	WMIC.exe
Token: SeUndockPrivilege	3080	WMIC.exe
Token: SeManageVolumePrivilege	3080	WMIC.exe
Token: 33	3080	WMIC.exe
Token: 34	3080	WMIC.exe
Token: 35	3080	WMIC.exe
Token: 36	3080	WMIC.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeSecurityPrivilege	2492	wevtutil.exe
Token: SeBackupPrivilege	2492	wevtutil.exe
Token: SeSecurityPrivilege	2344	wevtutil.exe
Token: SeBackupPrivilege	2344	wevtutil.exe
Token: SeSecurityPrivilege	3976	wevtutil.exe
Token: SeBackupPrivilege	3976	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3204	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	82
PID 3496 wrote to memory of 3204	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	82
PID 3496 wrote to memory of 3204	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	82
PID 3204 wrote to memory of 2268	3204	cmd.exe	84
PID 3204 wrote to memory of 2268	3204	cmd.exe	84
PID 3204 wrote to memory of 2268	3204	cmd.exe	84
PID 3496 wrote to memory of 3140	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	85
PID 3496 wrote to memory of 3140	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	85
PID 3496 wrote to memory of 3140	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	85
PID 3496 wrote to memory of 3636	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	86
PID 3496 wrote to memory of 3636	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	86
PID 3496 wrote to memory of 3636	3496	97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe	86
PID 3636 wrote to memory of 500	3636	cmd.exe	88
PID 3636 wrote to memory of 500	3636	cmd.exe	88
PID 3636 wrote to memory of 500	3636	cmd.exe	88
PID 3140 wrote to memory of 1216	3140	lsass.exe	89
PID 3140 wrote to memory of 1216	3140	lsass.exe	89
PID 3140 wrote to memory of 1216	3140	lsass.exe	89
PID 3140 wrote to memory of 1920	3140	lsass.exe	91
PID 3140 wrote to memory of 1920	3140	lsass.exe	91
PID 3140 wrote to memory of 1920	3140	lsass.exe	91
PID 3140 wrote to memory of 1624	3140	lsass.exe	93
PID 3140 wrote to memory of 1624	3140	lsass.exe	93
PID 3140 wrote to memory of 1624	3140	lsass.exe	93
PID 3140 wrote to memory of 3068	3140	lsass.exe	95
PID 3140 wrote to memory of 3068	3140	lsass.exe	95
PID 3140 wrote to memory of 3068	3140	lsass.exe	95
PID 3140 wrote to memory of 1664	3140	lsass.exe	97
PID 3140 wrote to memory of 1664	3140	lsass.exe	97
PID 3140 wrote to memory of 1664	3140	lsass.exe	97
PID 3140 wrote to memory of 2336	3140	lsass.exe	99
PID 3140 wrote to memory of 2336	3140	lsass.exe	99
PID 3140 wrote to memory of 2336	3140	lsass.exe	99
PID 3140 wrote to memory of 216	3140	lsass.exe	101
PID 3140 wrote to memory of 216	3140	lsass.exe	101
PID 3140 wrote to memory of 216	3140	lsass.exe	101
PID 216 wrote to memory of 3080	216	cmd.exe	103
PID 216 wrote to memory of 3080	216	cmd.exe	103
PID 216 wrote to memory of 3080	216	cmd.exe	103
PID 3140 wrote to memory of 3388	3140	lsass.exe	106
PID 3140 wrote to memory of 3388	3140	lsass.exe	106
PID 3140 wrote to memory of 3388	3140	lsass.exe	106
PID 3140 wrote to memory of 2324	3140	lsass.exe	108
PID 3140 wrote to memory of 2324	3140	lsass.exe	108
PID 3140 wrote to memory of 2324	3140	lsass.exe	108
PID 2324 wrote to memory of 1720	2324	cmd.exe	110
PID 2324 wrote to memory of 1720	2324	cmd.exe	110
PID 2324 wrote to memory of 1720	2324	cmd.exe	110
PID 3140 wrote to memory of 3908	3140	lsass.exe	111
PID 3140 wrote to memory of 3908	3140	lsass.exe	111
PID 3140 wrote to memory of 3908	3140	lsass.exe	111
PID 3908 wrote to memory of 3236	3908	cmd.exe	113
PID 3908 wrote to memory of 3236	3908	cmd.exe	113
PID 3908 wrote to memory of 3236	3908	cmd.exe	113
PID 3140 wrote to memory of 1528	3140	lsass.exe	114
PID 3140 wrote to memory of 1528	3140	lsass.exe	114
PID 3140 wrote to memory of 1528	3140	lsass.exe	114
PID 1528 wrote to memory of 3840	1528	cmd.exe	116
PID 1528 wrote to memory of 3840	1528	cmd.exe	116
PID 1528 wrote to memory of 3840	1528	cmd.exe	116
PID 3140 wrote to memory of 3504	3140	lsass.exe	117
PID 3140 wrote to memory of 3504	3140	lsass.exe	117
PID 3140 wrote to memory of 3504	3140	lsass.exe	117
PID 3504 wrote to memory of 3784	3504	cmd.exe	119

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
"C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /e:on /c md "C:\Users\Admin\AppData\Roaming\Microsoft\Windows" & copy "C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
    3⤵
    - Adds Run key to start application
    PID:2268
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\documents\Default.rdp" -s -h
      4⤵
      Views/modifies file attributes
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\sc.exe
      sc config eventlog start=disabled
      4⤵
      Launches sc.exe
      PID:1860
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3840
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe" exit )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
1699855cd5e006d467193f752c958899

SHA1
11af036e632ecfb1d99c908529663597d2795786

SHA256
bcb990f29d151ab7ea6dc20723f8d065ea534f1320f6c383758ea7831a30a7ea

SHA512
e3f66f158b81426b62bd6aff0da13401acaa7b639686ad8ac589a8f22dfbf6d039d67ccffa2aee482b23176b9d19b7a256808e2d6037584725aadb26e7cf263b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
f219eb248728be0747ada8ad649b75d8

SHA1
ab0f9fd79995b2328bd4d996e60b0065f5bf30d5

SHA256
a7af1395352b84f79a6ada41b92029bd542d2d8b74bb2713a5aaf49163d47076

SHA512
5ce63a21ef03d583b563df5d03d613562b84068de20a8b1664bcdb73bee42380032d46b49c64210722f29653e25e5deff596b4b7f8f0206996f032bcdcdb36d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
f4e1c365e4b6e84ff1528e7a463c8707

SHA1
5063468bc9d5e373d5c5437d1642da7183cf5b3f

SHA256
ac9297a6aec50883aceb8b0e5ef3de6ce98746288a25ef39d3101fc5fb042253

SHA512
7b3540b87c2d2e6bd24b7541f572067b983a48ca10b9f927957020ea89719758ce196be91799245fa5d7f1461e2ecafcc5e5c7d1ecd1a6557d5754aed21dd356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
725816828d55bdf4f89c37f7be9f32fb

SHA1
2b9700858d56bbf0dc910c3cff0d2a03bfd623c2

SHA256
3bb57dd1f0795bccc6265cd39bb7da8c4f757333aa55ed8e2f84cf769683aed2

SHA512
017d16db393f8f44e1d27d125e100180efc113c762b84e4ae872905e8f9fbec0e792311001fe9ab34fcdb178107b832c011ea6732e3cafa755fa5ee0e59daf43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
e8b745c457ce6d29fcde00d3264336af

SHA1
18595c4d08917ca7727dbd69fb8f98a7748ca768

SHA256
0ff3eb897f28c7316118a2e44904b2511f25eb649ef72b518378df44f64569a7

SHA512
318ad6a9bf1a30d4156a8cb9ffd24d466d8ef2044cc74d9ecb1c33fea10f134e8247d18864204d8545d77bb86e2099fc19c4f164c8f68e04a4af2e8f40374b74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
50a75e6e00e3c152523b29f7f848ead7

SHA1
5a0927b36ad91744945f0f613fbc39e44e2b1d4f

SHA256
534783431effb2dce35bc7091277bfaa8ca635818c99812a1ccfa957966b5e0c

SHA512
1379e05b31127e2e1ee182c4cd7a13dcce62e3a93c585a8e99154972571f76a3c4e2c01fc63042ab341551af0903c47b5df10d50f0ccf08cbeaffec8174f22a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ODIFJ91X\S4CG2R9F.htm

Filesize
18KB

MD5
19cb5295e21160d78213d3ccc33b8f75

SHA1
d70bc890627b2dd33479eff5d2ffc8aff40a534b

SHA256
7810c957fdddcb7e1477957c0b1f6e90cbaf2bec084ede2a9aa5190d131084c8

SHA512
5b437b9055cdb29e0074fe493c2281af5f6bc4697e6f60d22329fa606c09bd4ffe8c0e50f98c2a12233eac00c480bc38ded1d8431ed771a4495955d865607c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUEIZMHE\RVM4EGQX.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
624KB

MD5
e2c9e21bc2d59273ad13144b10e082f8

SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c

SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433

SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349

Download Submit
memory/2436-184-0x0000000002600000-0x0000000002662000-memory.dmp

Filesize
392KB

Download
memory/2436-185-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3140-150-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3140-141-0x0000000002600000-0x0000000002662000-memory.dmp

Filesize
392KB

Download
memory/3140-178-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3140-177-0x0000000002600000-0x0000000002662000-memory.dmp

Filesize
392KB

Download
memory/3496-131-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3496-138-0x00000000021E0000-0x0000000002242000-memory.dmp

Filesize
392KB

Download
memory/3496-130-0x00000000021E0000-0x0000000002242000-memory.dmp

Filesize
392KB

Download
memory/3496-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3840-183-0x0000000002600000-0x0000000002662000-memory.dmp

Filesize
392KB

Download
memory/3840-186-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3840-187-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads