buran | feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62

Analysis

max time kernel
107s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

211KB
MD5

102f05cffa7d4ac4b7f02f38e6df632c
SHA1

9f4077164fe67ce25d0e64e4bd5e1ab6c95695de
SHA256

feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62
SHA512

b9f60951c2dd051a4be77cc7efa2355e4978543389fb50b433500928161d6c9cca6781532bb9a622d4ac107dcd5a24c35ebff722419ea0bf14350ff4fa53130e
SSDEEP

6144:Cia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+6S+:CIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: E9F-649-AA3 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0005000000000723-133.dat	family_zeppelin
behavioral2/files/0x0005000000000723-134.dat	family_zeppelin
behavioral2/files/0x0005000000000723-146.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid	Process
420	lsass.exe
2444	lsass.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	Process
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-256.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-16.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\PlayStore_icon.svg.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.INF.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-400.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\ui-strings.js.E9F-649-AA3	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.password.template	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_OwlEye.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.E9F-649-AA3	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.E9F-649-AA3	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lsass.exe

pid	Process
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe
420	lsass.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

1.exelsass.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	900	1.exe
Token: SeDebugPrivilege	900	1.exe
Token: SeDebugPrivilege	420	lsass.exe
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe
Token: SeLoadDriverPrivilege	1788	WMIC.exe
Token: SeSystemProfilePrivilege	1788	WMIC.exe
Token: SeSystemtimePrivilege	1788	WMIC.exe
Token: SeProfSingleProcessPrivilege	1788	WMIC.exe
Token: SeIncBasePriorityPrivilege	1788	WMIC.exe
Token: SeCreatePagefilePrivilege	1788	WMIC.exe
Token: SeBackupPrivilege	1788	WMIC.exe
Token: SeRestorePrivilege	1788	WMIC.exe
Token: SeShutdownPrivilege	1788	WMIC.exe
Token: SeDebugPrivilege	1788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1788	WMIC.exe
Token: SeRemoteShutdownPrivilege	1788	WMIC.exe
Token: SeUndockPrivilege	1788	WMIC.exe
Token: SeManageVolumePrivilege	1788	WMIC.exe
Token: 33	1788	WMIC.exe
Token: 34	1788	WMIC.exe
Token: 35	1788	WMIC.exe
Token: 36	1788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe
Token: SeLoadDriverPrivilege	1788	WMIC.exe
Token: SeSystemProfilePrivilege	1788	WMIC.exe
Token: SeSystemtimePrivilege	1788	WMIC.exe
Token: SeProfSingleProcessPrivilege	1788	WMIC.exe
Token: SeIncBasePriorityPrivilege	1788	WMIC.exe
Token: SeCreatePagefilePrivilege	1788	WMIC.exe
Token: SeBackupPrivilege	1788	WMIC.exe
Token: SeRestorePrivilege	1788	WMIC.exe
Token: SeShutdownPrivilege	1788	WMIC.exe
Token: SeDebugPrivilege	1788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1788	WMIC.exe
Token: SeRemoteShutdownPrivilege	1788	WMIC.exe
Token: SeUndockPrivilege	1788	WMIC.exe
Token: SeManageVolumePrivilege	1788	WMIC.exe
Token: 33	1788	WMIC.exe
Token: 34	1788	WMIC.exe
Token: 35	1788	WMIC.exe
Token: 36	1788	WMIC.exe
Token: SeBackupPrivilege	4228	vssvc.exe
Token: SeRestorePrivilege	4228	vssvc.exe
Token: SeAuditPrivilege	4228	vssvc.exe
Token: SeDebugPrivilege	420	lsass.exe
Token: SeDebugPrivilege	420	lsass.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1.exelsass.execmd.exe

description	pid	Process	procid_target
PID 900 wrote to memory of 420	900	1.exe	81
PID 900 wrote to memory of 420	900	1.exe	81
PID 900 wrote to memory of 420	900	1.exe	81
PID 900 wrote to memory of 2432	900	1.exe	82
PID 900 wrote to memory of 2432	900	1.exe	82
PID 900 wrote to memory of 2432	900	1.exe	82
PID 900 wrote to memory of 2432	900	1.exe	82
PID 900 wrote to memory of 2432	900	1.exe	82
PID 900 wrote to memory of 2432	900	1.exe	82
PID 420 wrote to memory of 5076	420	lsass.exe	89
PID 420 wrote to memory of 5076	420	lsass.exe	89
PID 420 wrote to memory of 5076	420	lsass.exe	89
PID 420 wrote to memory of 220	420	lsass.exe	91
PID 420 wrote to memory of 220	420	lsass.exe	91
PID 420 wrote to memory of 220	420	lsass.exe	91
PID 420 wrote to memory of 4048	420	lsass.exe	93
PID 420 wrote to memory of 4048	420	lsass.exe	93
PID 420 wrote to memory of 4048	420	lsass.exe	93
PID 420 wrote to memory of 3912	420	lsass.exe	95
PID 420 wrote to memory of 3912	420	lsass.exe	95
PID 420 wrote to memory of 3912	420	lsass.exe	95
PID 420 wrote to memory of 4232	420	lsass.exe	97
PID 420 wrote to memory of 4232	420	lsass.exe	97
PID 420 wrote to memory of 4232	420	lsass.exe	97
PID 420 wrote to memory of 3364	420	lsass.exe	99
PID 420 wrote to memory of 3364	420	lsass.exe	99
PID 420 wrote to memory of 3364	420	lsass.exe	99
PID 420 wrote to memory of 4492	420	lsass.exe	101
PID 420 wrote to memory of 4492	420	lsass.exe	101
PID 420 wrote to memory of 4492	420	lsass.exe	101
PID 4492 wrote to memory of 1788	4492	cmd.exe	103
PID 4492 wrote to memory of 1788	4492	cmd.exe	103
PID 4492 wrote to memory of 1788	4492	cmd.exe	103
PID 420 wrote to memory of 3940	420	lsass.exe	106
PID 420 wrote to memory of 3940	420	lsass.exe	106
PID 420 wrote to memory of 3940	420	lsass.exe	106
PID 420 wrote to memory of 2444	420	lsass.exe	108
PID 420 wrote to memory of 2444	420	lsass.exe	108
PID 420 wrote to memory of 2444	420	lsass.exe	108
PID 420 wrote to memory of 3464	420	lsass.exe	110
PID 420 wrote to memory of 3464	420	lsass.exe	110
PID 420 wrote to memory of 3464	420	lsass.exe	110
PID 420 wrote to memory of 3464	420	lsass.exe	110
PID 420 wrote to memory of 3464	420	lsass.exe	110
PID 420 wrote to memory of 3464	420	lsass.exe	110

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3940
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2444
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3464
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
211KB

MD5
102f05cffa7d4ac4b7f02f38e6df632c

SHA1
9f4077164fe67ce25d0e64e4bd5e1ab6c95695de

SHA256
feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62

SHA512
b9f60951c2dd051a4be77cc7efa2355e4978543389fb50b433500928161d6c9cca6781532bb9a622d4ac107dcd5a24c35ebff722419ea0bf14350ff4fa53130e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
211KB

MD5
102f05cffa7d4ac4b7f02f38e6df632c

SHA1
9f4077164fe67ce25d0e64e4bd5e1ab6c95695de

SHA256
feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62

SHA512
b9f60951c2dd051a4be77cc7efa2355e4978543389fb50b433500928161d6c9cca6781532bb9a622d4ac107dcd5a24c35ebff722419ea0bf14350ff4fa53130e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
211KB

MD5
102f05cffa7d4ac4b7f02f38e6df632c

SHA1
9f4077164fe67ce25d0e64e4bd5e1ab6c95695de

SHA256
feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62

SHA512
b9f60951c2dd051a4be77cc7efa2355e4978543389fb50b433500928161d6c9cca6781532bb9a622d4ac107dcd5a24c35ebff722419ea0bf14350ff4fa53130e

Download Submit
C:\Users\Admin\Desktop\BlockRevoke.vsw.E9F-649-AA3

Filesize
788KB

MD5
047d9a00102a99b5ed236ce2b3c9c912

SHA1
1736fdd52b822fe6ccc071a19f66a8c57413e06e

SHA256
ea0ef1afae3d4c4f4a33a729e40fa2568634239c499ac0af295ae8c8c6fca1c1

SHA512
9d21c3668dd7f413c433880ebc4d18d89d279e5c7e3ca45fc2f99be008d18885a6c3e31bac803318d75b9e8fa2bef45aefedefd6e6240b92505865a7c7178c0f

Download Submit
C:\Users\Admin\Desktop\CopyPublish.ogg.E9F-649-AA3

Filesize
661KB

MD5
82565e40851cd54caac467159d89d0bd

SHA1
5b820a7d2d523033e1ce573a647efe9542894764

SHA256
a7e71a6d1d98f6bc4006faa91225222fac18b838b931015292c0948b03a3f428

SHA512
ff7864edf6fa4099061057b2619483086009c70d1703bc8ed6ebbbadeb0a95756f8c8301a705179d1e02206eda6bb5bd4ea845ad917da7bb2cd52a1c90cd471a

Download Submit
C:\Users\Admin\Desktop\DisableClose.ADT.E9F-649-AA3

Filesize
382KB

MD5
8683abbc958a5a93483d0a64e8ff9a92

SHA1
bf0fe7980e652152c3506f73e3404a2cc516e9ad

SHA256
ca2cb17ed6286291fb7434b6c41818bc910583dd438e2107975831ad63215fde

SHA512
eeb0da72ee5bd1e55b6f97dc6a709333e4377f7c957fa2c0752847a82716415943040022c5b0e3acf61a0d5a5c3cc806c6e4bf2b0d1368fa342ed2f51081c89a

Download Submit
C:\Users\Admin\Desktop\DisconnectRequest.kix.E9F-649-AA3

Filesize
306KB

MD5
0964393a0f0602c9bcc9c7de4cda3bea

SHA1
37c9eed0289a876f75a2147253306f4b19ba4f61

SHA256
a9ceaed77d6ff72efe9f2eeff560ac26f00f77316c4c047e5aa7d80c2fc1fd1d

SHA512
d3720e81fb930328e0d433176bec994f7739ff0bdd4302e06d680e7cd1a489763a4d4472907cc2ae1becdce117ca7f36d1815ddfd28e18663c84c6a1d1c7324d

Download Submit
C:\Users\Admin\Desktop\DisconnectUnregister.wvx.E9F-649-AA3

Filesize
433KB

MD5
9e358ec385f68a7fd187c2a6525aa589

SHA1
edee80c375c5aedb1b49928fb0abb5e26ef0072f

SHA256
606223785c6ea216b4aaba5848570612d54e00c941a94fa591cd1bd69d2ac983

SHA512
40a02c626af0315be6a9881f5fd1d9f9687969b2134ebddb6ef8785caa54a5f7e98e630b4c4f61442558b24d6243e8a2ee069d2644a738f1444e18b3c35cc400

Download Submit
C:\Users\Admin\Desktop\ExpandOut.tif.E9F-649-AA3

Filesize
712KB

MD5
183edef1bea60578f921db31e0383723

SHA1
d8ee59a5eb9c128fb6d6fe7666c483c7c2253ecb

SHA256
7cd930bef9d33bea538e4d252df2461719e6670cf856051056efcb0582da2052

SHA512
066ec22937a02e9a3baf7102cd181595a7bb3c759780e3a89bc9c3e7e591175d4050092dc8950a38564a0502115f673b1e70b142313798bac66f9dc5f4fa98ee

Download Submit
C:\Users\Admin\Desktop\GroupRestore.exe.E9F-649-AA3

Filesize
763KB

MD5
5d821fb8ac48005a9d6f72f1db8cbc23

SHA1
c865d5bee9eafeac4cdb391389e88f7a437c87fe

SHA256
ed3745aeef4c31287f41ab42e8f096ac5a5ab260d7ead2a9da5285c0d1fec869

SHA512
162cae8cd882c255feddc918b27d19e42a00abef99acba76e522a3d9247e67f4a393f122c2dd9432d75c3786d192eeb252fa93eea405b888e9358fef1934b989

Download Submit
C:\Users\Admin\Desktop\MergeSave.bmp.E9F-649-AA3

Filesize
534KB

MD5
0713def2c810b4afa360fc8aa5faf4a3

SHA1
addb6d0bfd4497804ec614d7a338089d24ffda40

SHA256
08dc7063bc93485d05a5b69db0462626811df463f59e04e20d172c1f5493a983

SHA512
ec60e4a26bae4208d248b5ed61cc538d2b6b3f4a4ed67389aaa1a3aff4778cb57b7b620613578214f241e584d2facc3acfbf8f8ced79dfdc1cf12b4df29f8b0c

Download Submit
C:\Users\Admin\Desktop\MountResume.ppsx.E9F-649-AA3

Filesize
687KB

MD5
947229282da849f308e4b97c9c45d39c

SHA1
8170feec53e96c6edd4ee4f835d111bbf97a5496

SHA256
66de95f119392468702a529c70ec8057c97c0f3a100c918f36cf46dc62b393e0

SHA512
df9bf48b0ecacb664b51e0cd0d7b8b985c5839d36059855364c6ad39d82c33efd9e6934f370fc4da8a18b11a44f0dafcd0133787a1c5866716a3d9840407cce2

Download Submit
C:\Users\Admin\Desktop\OpenExit.ps1.E9F-649-AA3

Filesize
585KB

MD5
c9906ca39a94511b3f526499f3900074

SHA1
e8014649a7689fd1563e1872c1352d3b0b90cbe4

SHA256
1f2f691a546a7160b443ad7da7cc41ddd20c32c2da85b460cd5b07426766f4f3

SHA512
76e2de0d04225db0792f2752ca272f370e4ef1b7eccc90469cfa5261d283bdfdc786d132ce227d03d97d1b5db973b937ce5ba865f9a3daf57a0214aca3261cf7

Download Submit
C:\Users\Admin\Desktop\PublishRedo.htm.E9F-649-AA3

Filesize
331KB

MD5
5d9c9c758c7e6af950ec9f6d7840c171

SHA1
4de3b8fbc59cb040186a692951bd75631ca7e501

SHA256
fb996e32a21e0d0c41a91687d27bf978928c9229875d338895ec6d147ab1c996

SHA512
6f5f716cffeff710aae3a4bdb622f82bd706358e159c5a9533b666b64271d6d1011fc7b8687fbf0de24350c956890c04d8b64b10597446d7d459b2b67435700a

Download Submit
C:\Users\Admin\Desktop\RedoReset.ini.E9F-649-AA3

Filesize
484KB

MD5
36eb2a3d454be0fd853c9b37df68f19d

SHA1
29f49e3b267631130c28ec5efbb53fb7e2c27298

SHA256
3f9f8cdde3b592a9ee0d3d10842f813bebb879fdf7733b1529edb3ebc6c49b1b

SHA512
cdfba26a42615f69993278a183680159a4223052092490664b26f974f877472b662c64536e3431dd3b8aa0fe60118d846839dd1b5e787b09950cc8dd2aa53b43

Download Submit
C:\Users\Admin\Desktop\RepairUninstall.au3.E9F-649-AA3

Filesize
458KB

MD5
96a0a70e9584c9d61a8832ea1319b036

SHA1
82cb18a0eb14eb58caa15ab651ed104d1a52e8ee

SHA256
d9e9eb2f5773f4940d3a95ffda87ab4688ede4754b8789e8a24935be3b62e36d

SHA512
382b07b547da2666e8fd3b8b86ad6a71533096cfc320ff8298a6f413692acdb76dff7b4eaea0e3025ca6e1f63d63f50d58050cd275474aa6d420e268e24bad5d

Download Submit
C:\Users\Admin\Desktop\ResizeRead.dotm.E9F-649-AA3

Filesize
1.1MB

MD5
e8e38ebe4c6cbd2ee45200153b10daad

SHA1
480342393f1e552986a50aacd4111e941c7906f3

SHA256
544fce0e62d6b7cae037dac94e7fff9e9bb62b23048201e9d616a5f8d06b050f

SHA512
ed2eb52f25e40d6dcd3fde928cc436bf5d56d2458fd9481cd9d3c752263689d513fe9ed0d948a24ab5a0a86f09046b50f13143a3f53e4c088f19d8aa999febf1

Download Submit
C:\Users\Admin\Desktop\RestoreAdd.xsl.E9F-649-AA3

Filesize
280KB

MD5
ab6df8ae2cd6c7ea2606a72504ef9239

SHA1
d9920e529460b9574f7cd6711982733312f010b9

SHA256
f315c211ee510f55b4ecea8c3eea0c99b6f27c2fb859a14942a3be263835b1eb

SHA512
423bd67b66f0f1be625e71ed90a12c97f19461e4ae01b7f49b39ff8362c0e21b497a49087fccb9a06f91c7eb11e967802953cc6f407e1f2cf2423bae76178021

Download Submit
C:\Users\Admin\Desktop\ResumeComplete.dot.E9F-649-AA3

Filesize
560KB

MD5
8579475ddf2c660aaef9d5bf5add90e8

SHA1
c6d057d8c3b210d430f393b987e7e4c396ec28fa

SHA256
399712f11b4f46ced4c71587002d274e4cf46f37e868de4c5f2a18c013852f87

SHA512
d8a096403e5acf4bfae0d5b014ce526b245f0f803f4c398a732847c2200e351808be8982d3834f9d4d6cae7f5dfa6505a56f95087c919c803853c4a2626e96b3

Download Submit
C:\Users\Admin\Desktop\ResumeMerge.vbe.E9F-649-AA3

Filesize
610KB

MD5
aa149e001bd4f8fb25b45ad3f3fad417

SHA1
e71f9a2dfad70fb882ab27f47b09a07432c3f457

SHA256
79d67fe742f5dc330c33ab9533706be4de031787f4768e487d32e21ff2fa2a2c

SHA512
953e73fe597786201c3c0f67a33197a10f5f564ac9b1b20de2a2c102f2f82cee9b53255f68a4c6f198855866163b4911a2bd7072179a9e246f35523c2c67e779

Download Submit
C:\Users\Admin\Desktop\SaveCopy.mpa.E9F-649-AA3

Filesize
407KB

MD5
2bc121428bfaf2b772ef8bc65a2f6cb4

SHA1
4fe3050c32abd06574de987cf368b78146035df5

SHA256
1334564b4167a5dea455a5d8b01770297bf61832e842ddaf9e822b5e86f894f8

SHA512
5095ea4bf28e573e537fdc949d0e79a99e43577407007f7101bc65c6b226d239def3f9dfa41e707538d885c5235557d24776498d018612fd76c4b0bf8db8222f

Download Submit
C:\Users\Admin\Desktop\ShowCheckpoint.wma.E9F-649-AA3

Filesize
737KB

MD5
ca079895bd0592f45e64532254ed7617

SHA1
30a3a14b732a11fb7c6a8b936db07ab30e1e02e0

SHA256
b51248c0c652f7b3187c8cbc6fb18e558f4b145f76fcfcaf5b46d975337a7dd4

SHA512
f1b9c40b9f1f6a7d368291b2cfd7f459ee12be5b64d0948499f2cc2417a699a2f759260dc35a0b2318fc755535b26b739dd8a379ac5f5cda90e8b047fb3101e8

Download Submit
C:\Users\Admin\Desktop\SwitchProtect.wma.E9F-649-AA3

Filesize
509KB

MD5
fb1125b113f30b9e5eac99ae4b645c3c

SHA1
b06dc8456c6cbda1c948e3e14eeb600384e993e7

SHA256
a1fb8d09911205ec94afbf91e3045861bf624be95e58e4bd332affdaa289f5fd

SHA512
b2bb54fe3e934702d3c9b1260ccb11167eb0fb1e9f28be2cbd9ce924a08a0623310f706624251b700a828de28bebe9be33a7b9cca6183367ac2cc37445229655

Download Submit
C:\Users\Admin\Desktop\WriteCopy.jfif.E9F-649-AA3

Filesize
636KB

MD5
a124c7fac1d309ab3220a35666d6a066

SHA1
ef7dbf3db1ccc25303f2aaf4f0877e5346b589c7

SHA256
8e035a98fae67b34ec03a3de45079a19fe3936d1685571e746bda65cdee2b51f

SHA512
048890813499fdae2f0dca91975722a5381a5d6fa2eb83d5a9d1a76511eabe4b641896917cc7ae540c5e06553c45af3fb71dde935c0d98f1e9005972aabdc90e

Download Submit
C:\Users\Admin\Desktop\WriteDisconnect.vssx.E9F-649-AA3

Filesize
357KB

MD5
0a20e75bfc373574a7a034d8575c6c6e

SHA1
57bdc0c81f345311eabaa820c29678497505f033

SHA256
248ab00a46e1721d60a8bcd6f3c792640ec7350d5fc35c0d17cfc0f52ab62324

SHA512
1dbe414debdb03dc2acdf7533111d265dfb555556016642be2472131342a8e0392e16b8aea099791823be7d529e8a291cf6e4b03c43d15e56781243fd1466b87

Download Submit
memory/220-137-0x0000000000000000-mapping.dmp

Download
memory/420-132-0x0000000000000000-mapping.dmp

Download
memory/1788-143-0x0000000000000000-mapping.dmp

Download
memory/2432-135-0x0000000000000000-mapping.dmp

Download
memory/2444-145-0x0000000000000000-mapping.dmp

Download
memory/3364-141-0x0000000000000000-mapping.dmp

Download
memory/3464-169-0x0000000000000000-mapping.dmp

Download
memory/3912-139-0x0000000000000000-mapping.dmp

Download
memory/3940-144-0x0000000000000000-mapping.dmp

Download
memory/4048-138-0x0000000000000000-mapping.dmp

Download
memory/4232-140-0x0000000000000000-mapping.dmp

Download
memory/4492-142-0x0000000000000000-mapping.dmp

Download
memory/5076-136-0x0000000000000000-mapping.dmp

Download