makop | 50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-09-2022 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
Size

1.0MB
MD5

c9b1338dfcaf42a0fa3595306afce4b3
SHA1

c8e04e6df3535099c41c1fc6db737d4613a8b303
SHA256

50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639
SHA512

81955bfbdd0ff52a9413a9860737d80d94e8c7bb182cec1ecb9c59627875cf71a299674dcb1ec549b16e8826d7a4ec4e4b4ba022bf8d456a83dfe3b90843676c
SSDEEP

24576:CIggbZfccl1V2qBVds4Dy2DEHFVBnCZsGUy0:7ggNfV1YqNfDL4HFVtiWV

Score

10^/10

makop ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
308	wbadmin.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1308 set thread context of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\readme-warning.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\readme-warning.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\readme-warning.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\readme-warning.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\handsafe.reg	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1328	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1696	powershell.exe
1920	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe
Token: SeBackupPrivilege	1412	wbengine.exe
Token: SeRestorePrivilege	1412	wbengine.exe
Token: SeSecurityPrivilege	1412	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1696	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	27
PID 1884 wrote to memory of 1696	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	27
PID 1884 wrote to memory of 1696	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	27
PID 1884 wrote to memory of 1696	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	27
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1884 wrote to memory of 1920	1884	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	29
PID 1920 wrote to memory of 1480	1920	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	31
PID 1920 wrote to memory of 1480	1920	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	31
PID 1920 wrote to memory of 1480	1920	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	31
PID 1920 wrote to memory of 1480	1920	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	31
PID 1480 wrote to memory of 1328	1480	cmd.exe	33
PID 1480 wrote to memory of 1328	1480	cmd.exe	33
PID 1480 wrote to memory of 1328	1480	cmd.exe	33
PID 1480 wrote to memory of 308	1480	cmd.exe	36
PID 1480 wrote to memory of 308	1480	cmd.exe	36
PID 1480 wrote to memory of 308	1480	cmd.exe	36
PID 1480 wrote to memory of 1960	1480	cmd.exe	40
PID 1480 wrote to memory of 1960	1480	cmd.exe	40
PID 1480 wrote to memory of 1960	1480	cmd.exe	40
PID 1308 wrote to memory of 1296	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	42
PID 1308 wrote to memory of 1296	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	42
PID 1308 wrote to memory of 1296	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	42
PID 1308 wrote to memory of 1296	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	42
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43
PID 1308 wrote to memory of 1680	1308	HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe	43

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
  "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe" n1920
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
      4⤵
      PID:1680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1328
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b6db1803ced2189a591938eadefe821b

SHA1
8a4e7891b822d8ceb041650afb5d61bef720bfd3

SHA256
58ba937b4954587326db8f8ef25b976c83b4e91b1e30eebfdfffb24e0fcb389d

SHA512
9388702fb69b636cf9a5dbb0bcc9982df407d5d7fa2eb857f3bfa3fda91402f02f432ea3690426d2d9db9f4fcdc1212a3582bd86e4500067dd7ac5a3f7d0e314

Download Submit
memory/308-79-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1296-97-0x0000000073870000-0x0000000073E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-96-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-77-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-76-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-54-0x0000000001090000-0x00000000011A2000-memory.dmp

Filesize
1.1MB

Download
memory/1884-58-0x00000000009C0000-0x00000000009E8000-memory.dmp

Filesize
160KB

Download
memory/1884-57-0x0000000005660000-0x00000000056FA000-memory.dmp

Filesize
616KB

Download
memory/1884-56-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/1884-55-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1920-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-81-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-67-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-64-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-63-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download