buran | 56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754

Analysis

max time kernel
105s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

211KB
MD5

298dcc1285045bc397ef95ec583901da
SHA1

0b983d8948b282a76bece44d61e9ac73f10cfd31
SHA256

56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754
SHA512

ef296ab179f5578d51ccbbe6b9194e1bd3fd46affa3a14be955e15994b6e902c01b467a962eb0d3548fe510f16c77c73d87bece92b15bc6f89c3e2dd4ffea94a
SSDEEP

6144:gia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+U+:gIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: friendendfriend@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: friendendfriend@cock.li Reserved email: brittonucgm147@gmail.com Your personal ID: 555-B4B-BE1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

friendendfriend@cock.li

brittonucgm147@gmail.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid process

1804 smss.exe
1548 smss.exe

pid	process
1804	smss.exe
1548	smss.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveUnpublish.tiff	smss.exe
File opened for modification	C:\Users\Admin\Pictures\EnableMerge.tiff	smss.exe
File opened for modification	C:\Users\Admin\Pictures\PopSplit.tiff	smss.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1076 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

1.exe

pid process

1948 1.exe
1948 1.exe

pid	process
1076	notepad.exe

pid	process
1948	1.exe
1948	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\B:	smss.exe

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID	smss.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.POC.555-B4B-BE1	smss.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionOwner.ico.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01084_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04384_.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSSPC.ECF.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	smss.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WIND.WAV.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50B.GIF.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19695_.WMF.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157177.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Sales Pipeline.accdt.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\Synchronization.rll	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.555-B4B-BE1	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1648 vssadmin.exe

pid	process
1648	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

1.exesmss.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1948	1.exe
Token: SeDebugPrivilege	1948	1.exe
Token: SeDebugPrivilege	1804	smss.exe
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: SeBackupPrivilege	1852	vssvc.exe
Token: SeRestorePrivilege	1852	vssvc.exe
Token: SeAuditPrivilege	1852	vssvc.exe
Token: SeDebugPrivilege	1804	smss.exe
Token: SeDebugPrivilege	1804	smss.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

1.exesmss.execmd.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1804	1948	1.exe	smss.exe
PID 1948 wrote to memory of 1804	1948	1.exe	smss.exe
PID 1948 wrote to memory of 1804	1948	1.exe	smss.exe
PID 1948 wrote to memory of 1804	1948	1.exe	smss.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1948 wrote to memory of 1076	1948	1.exe	notepad.exe
PID 1804 wrote to memory of 2012	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2012	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2012	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2012	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2004	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2004	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2004	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 2004	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1972	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1972	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1972	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1972	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 568	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 568	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 568	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 568	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1124	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1124	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1124	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1124	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1084	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1084	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1084	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1084	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1072	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1072	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1072	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1072	1804	smss.exe	cmd.exe
PID 1072 wrote to memory of 396	1072	cmd.exe	WMIC.exe
PID 1072 wrote to memory of 396	1072	cmd.exe	WMIC.exe
PID 1072 wrote to memory of 396	1072	cmd.exe	WMIC.exe
PID 1072 wrote to memory of 396	1072	cmd.exe	WMIC.exe
PID 1804 wrote to memory of 1412	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1412	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1412	1804	smss.exe	cmd.exe
PID 1804 wrote to memory of 1412	1804	smss.exe	cmd.exe
PID 1412 wrote to memory of 1648	1412	cmd.exe	vssadmin.exe
PID 1412 wrote to memory of 1648	1412	cmd.exe	vssadmin.exe
PID 1412 wrote to memory of 1648	1412	cmd.exe	vssadmin.exe
PID 1412 wrote to memory of 1648	1412	cmd.exe	vssadmin.exe
PID 1804 wrote to memory of 1548	1804	smss.exe	smss.exe
PID 1804 wrote to memory of 1548	1804	smss.exe	smss.exe
PID 1804 wrote to memory of 1548	1804	smss.exe	smss.exe
PID 1804 wrote to memory of 1548	1804	smss.exe	smss.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe
PID 1804 wrote to memory of 1732	1804	smss.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1548

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1732

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
1⤵
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
211KB

MD5
298dcc1285045bc397ef95ec583901da

SHA1
0b983d8948b282a76bece44d61e9ac73f10cfd31

SHA256
56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754

SHA512
ef296ab179f5578d51ccbbe6b9194e1bd3fd46affa3a14be955e15994b6e902c01b467a962eb0d3548fe510f16c77c73d87bece92b15bc6f89c3e2dd4ffea94a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
211KB

MD5
298dcc1285045bc397ef95ec583901da

SHA1
0b983d8948b282a76bece44d61e9ac73f10cfd31

SHA256
56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754

SHA512
ef296ab179f5578d51ccbbe6b9194e1bd3fd46affa3a14be955e15994b6e902c01b467a962eb0d3548fe510f16c77c73d87bece92b15bc6f89c3e2dd4ffea94a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
211KB

MD5
298dcc1285045bc397ef95ec583901da

SHA1
0b983d8948b282a76bece44d61e9ac73f10cfd31

SHA256
56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754

SHA512
ef296ab179f5578d51ccbbe6b9194e1bd3fd46affa3a14be955e15994b6e902c01b467a962eb0d3548fe510f16c77c73d87bece92b15bc6f89c3e2dd4ffea94a

Download Submit
C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Filesize
944B

MD5
ba84bb957b9497534f54eb3b73f5101f

SHA1
06ed2f7cd8c759db7841c5cef37d897ebe005313

SHA256
9accbd239fc6eecaeeed479b52e0cc4e0508caea6f056a1760d08ec34c2f8d70

SHA512
69dd520a706629855e505ed721283b89b46ca315f61f0ed383a90b5f91864d131eef1f933c235700aefd24ecbc4e013f736785646434bcb40ff81174b228b431

Download Submit
C:\Users\Admin\Desktop\BackupDisable.emf.555-B4B-BE1
Filesize
406KB

MD5
726f00069cf7fc2362cfd562c30dd7fe

SHA1
6557006748ccb6725f593c408666ec89d941cddd

SHA256
15152a279e336da16b8933cce89701d712bee22650053ab8e61c53b75cd3b08e

SHA512
44550a3e1c2f7c92a4d3ff70fa47e7ba54662d22cef941f9dd5f36571fc760d1c44dce07c8a9e93050e8481c9c12c0841af58f75c0d0f50f1a1c43399ede0362

Download Submit
C:\Users\Admin\Desktop\BlockSync.dib.555-B4B-BE1
Filesize
1.1MB

MD5
182cec877bec9b378d7f12c40f809892

SHA1
08df921b9dc6f40eeb464755d3b339a97903d75c

SHA256
2447020dd5a173e1fd1dfb42f60a5fcb1e7f69acb95d82d4ac503f76be506fa0

SHA512
f03558c9e3fc14a3040940426d2163a401c433fb94b3383d97888cc401f69cd803b9152afee4d6784835872aeac56ee76b5ca9dec82ba2ec8ba5afe01a6708af

Download Submit
C:\Users\Admin\Desktop\CompressProtect.nfo.555-B4B-BE1
Filesize
1014KB

MD5
66d5ef760c3c1fa741348e538ba9cc6c

SHA1
8cfc16a593963e54086bf1dcf0dfcec9804780de

SHA256
2c87b425f2995e85bb62c6443e47579a52c93dce884157627eb5d8f7469020d6

SHA512
d86a47b5dcccc48c9d59abfb4b575291e44369c7682a8d5dc567277f008e360519894e60b8609eb3fb91e0efb737f6733fe4119b36d23fa5d1a3f16c081e2fc4

Download Submit
C:\Users\Admin\Desktop\ConvertSave.rmi.555-B4B-BE1
Filesize
643KB

MD5
b45d9409ae398ca1c565a1a630e466a5

SHA1
1b30e4910052bac7e8eb4b4088a32df235b3643e

SHA256
ed59dd6804be0d1fc5505cdb7ce3f628c81875889415c5f7b39479ed8f80dcea

SHA512
7c5e1a1fa06b3dfaad3cfe85b190cf05cfb926d63e2bc5c837e40f465671c7dbe451ed4e5e7064449c8f6a88aa3589f7c2fc9f83acfcfcf54d164d224d340bb6

Download Submit
C:\Users\Admin\Desktop\DebugBlock.mpeg2.555-B4B-BE1
Filesize
474KB

MD5
44e923299f3a14d8e4e4ec3df529ea79

SHA1
cd088079656d2db1bbb338ebc0759adf005f790e

SHA256
743f2b107d8c101bff31e078d8b86651f8c3b57430fb0830537ab1ff9f9cf151

SHA512
62fed26004f8835a1e96befcad77ceb1626792ea7dd9226d35ae6c7d64f0e3f70fbdfc7affc1e571bd06fba3952f93a41b1e192df538bde624747adef9701583

Download Submit
C:\Users\Admin\Desktop\DisconnectSuspend.vsw.555-B4B-BE1
Filesize
1.6MB

MD5
f244991d87a739e7bd83e09720fcc302

SHA1
cc5ab2d5bb8b09fe217005894d05a4bfb21fb572

SHA256
05860142b7a02a7222441cc580a0a43a5f98905ea468de19aa1732cd9054ff83

SHA512
5d2c71d57c7c45f75c75293562cd727e1dd6dbe027ba03cc6307b3c941f5c006399d8eb6ef57c982289a70831c29b79c59d1bfb1182d0a1da666b14edff25d24

Download Submit
C:\Users\Admin\Desktop\EnableAdd.mpp.555-B4B-BE1
Filesize
440KB

MD5
9c3ec4c9061d1bad2946c3fe10e359aa

SHA1
42936e6eb2785d724008747ecba332de2a12e194

SHA256
761bd483d73cbdf87c72c0421a61fe2f4f0898ae951ed9c08b709cb1a4ac3d72

SHA512
632c204701548e3d25b594df4e2f3c72f4ccb2b99877759a6f3e0d08a4ac429fceb50f4968b68e79f4ada0f4e6768d7489f09124b9b84e3b63f24ad2cf6dea8e

Download Submit
C:\Users\Admin\Desktop\ExitGrant.xlt.555-B4B-BE1
Filesize
981KB

MD5
d482c163782e2d8d78ccb2df09a2c1c4

SHA1
b93ed2a7202be9f0a58dc50e49b5b7e0281410ed

SHA256
f519b30d2f0a836a9f5498c69916510d97ef6d02c7d13e690234ff7e29b59168

SHA512
b3dcf65fae51c23aa099b1b224f6ca3a1b33be604e17723c3b6d2ca756e5ffab1e2644e364d58602cae6e10332df498a6340fd7d79a28f6b82741fd36a5417ee

Download Submit
C:\Users\Admin\Desktop\FindUnprotect.wvx.555-B4B-BE1
Filesize
609KB

MD5
05a3b08054b6c3b586b41e697cee4747

SHA1
5398c435bf228bc7132f9567bacf091f6ef4a3bc

SHA256
1bb46321eba8985f6c60eb2ccff398be9e1fe4be522121cbedd8852df353b5cb

SHA512
f9ad6dfe3ba71a9405606d55d68bc1d62283f4d3ab87da5f0408a7235ce03ffba7b42d535f073a315af03681720d0e7c5eebe71d4cc75942d9ebed1c8e016518

Download Submit
C:\Users\Admin\Desktop\InitializeEnable.xlsb.555-B4B-BE1
Filesize
744KB

MD5
2007f13b2cf2188258ae008110b1d76b

SHA1
fb3a9d325b2ca00d964fbd2b215ac02f7583230d

SHA256
1f51a35486de9e478ae72ff001b4c4c9b7417a797bbff2ae9f401198d995ea26

SHA512
c6c274029427c1fb7ef11f41ce96fa72a8974bcbabaae595a2b9baa31ec400164e56270ad33acdd813014207397f134de68a2e4a910a2d4e5c1a687d095240ee

Download Submit
C:\Users\Admin\Desktop\JoinMove.pub.555-B4B-BE1
Filesize
846KB

MD5
a62a57ceba7085ad06ee420710a4d24b

SHA1
aaad18fde0f90afc0ddfa798e04a8d10ce606a6e

SHA256
d457f2826d53e96786b991701b65ac66f0187416e2b8af73b59d05b8ed404cd7

SHA512
aa4221846ad803fa5f801cd920fe830a295496adc65e54220e62b65d9bcb4e5f2d894966b2871820223221be0dfb99a6fab2d0257fd0a463a3dde2fc2ca87f3c

Download Submit
C:\Users\Admin\Desktop\MeasureSearch.js.555-B4B-BE1
Filesize
778KB

MD5
9f385818a169b719a11deef9a48e61c4

SHA1
2d5d484d9ed38d21b91690468557bbfc3d04d9d2

SHA256
f2abca08ac3ae694127afce40cd0103f02a20797d151a32f037417578b8ee732

SHA512
36435401932ea037137c985e6fee73befa346f13d632eb7258c5d365379d7a642e1a95034b10e6f5091d230deebdd7c35796fc85dc0a342b6a3aeef15a7ab102

Download Submit
C:\Users\Admin\Desktop\OpenPush.vbs.555-B4B-BE1
Filesize
1.1MB

MD5
6fe6b290c1f0641bf8f1b67054c8013b

SHA1
eca2c79197da8adc1a70ddfe29e5854ba1a45360

SHA256
023353c046b2814ef1a2792a85726da92f4d88776de9df66ab7b0c03b24ee837

SHA512
f8d780783b0231c6e0d561a8d14bec4f84c3e239874bc12c7eb1fe5c1b515b31c0e2bc4bc2b299f40e34fe87c0d80291274bf72c4df247450eb2252c4b9c418a

Download Submit
C:\Users\Admin\Desktop\OutProtect.png.555-B4B-BE1
Filesize
913KB

MD5
7a4de4ee528b238262a24c8a885a75d7

SHA1
44f897d129e3af030ac6e9daee17c1aa361ec8cc

SHA256
d186d89dac0f40f31f99a6d77e997fc7db85d1670f3707a500b184a3b3ccbb5c

SHA512
2348d344fdfd275c07fe41dacade3d6546637be88562b37beb4479d64a2360d95a2614aa815d55e3a40e0a47de63cffeda05fd640baff7e3fa78b565eac48937

Download Submit
C:\Users\Admin\Desktop\PopExpand.mpv2.555-B4B-BE1
Filesize
1.0MB

MD5
05794e90e6319ef7788d1af9aa24b9d0

SHA1
77e54c321ce953591b13d712b792fc5c6add8b84

SHA256
563baa525a552dd10b87a3352c3b0966973f57da62b4db184c69d560feeab448

SHA512
39a70a74614d1229e859b2729c0d86def18bb26873e26d2d569e33f88e05e6476fdab0120b5e34e285911484583cee952c29aff88751dfd83f2c2ab3ecb0a167

Download Submit
C:\Users\Admin\Desktop\PushSubmit.mov.555-B4B-BE1
Filesize
677KB

MD5
8009e43513f58d1f8aff22c0a5dfd196

SHA1
203813c44f4940216f47318297b46c680f9e5582

SHA256
8a73b4701914e61d768971fa5061cb2e325e92b9c3e7092d9990187f8112a64d

SHA512
cc895294bc9291f2a9bebd008ffde42b3afce96b2358f5859b71c0109ece02cc804a0a7d551448198326ee2599211122f3110567fc66bce544b068d029d5bbb1

Download Submit
C:\Users\Admin\Desktop\RequestReset.rtf.555-B4B-BE1
Filesize
947KB

MD5
18f2e7c53a3eba534511f39d88648eda

SHA1
0b3ad1abf3e0bdbce57053ecc860c9795b61aada

SHA256
d88a421acb543d2ab50ed042bd06980d920fe4860e35c17d86063bca7b9b2173

SHA512
4d86ccc788d1f80349afb44f5417a039b779400fe7177daf06f98bcfbff7129fd8891d1349fd4996bb7cf80d5091fa1e467458dc0d538092ff96264894b9572c

Download Submit
C:\Users\Admin\Desktop\RestartApprove.mid.555-B4B-BE1
Filesize
812KB

MD5
cd25b3bc0b5b8c50956cebe8b3ce0939

SHA1
bbda5310760ef5657e759cc207620664b99c9828

SHA256
b5f762b007d13e1718f3f9479709076b1769a13007ca920b24704511e896426f

SHA512
0eae68ab9f3f5cfb0bcc9ff6f8738a441106f937b1b1aa388838b641f5a2ea0d2bdd87549d3f438fa75df2bee5ee3150ea4cf0dd1a697fd54453199f0ca7ed71

Download Submit
C:\Users\Admin\Desktop\ShowInstall.xlsb.555-B4B-BE1
Filesize
542KB

MD5
f0a53aef79c952acf93278b53a3d7972

SHA1
3c2f5ccadecbf586e3a22e877f7de313ffdf9d69

SHA256
762bc47c2552126f1b64128783613d31097d6e2d1dea334f87c70d4f25e69c1c

SHA512
f099dedfc96890813fc24b767070a98bf5fe3cb10141378e02be04f04994d552fddd62350b4d3ea98bc027cfe646799e57edcc4d03b90e2645de8603f5462a8e

Download Submit
C:\Users\Admin\Desktop\SubmitAssert.inf.555-B4B-BE1
Filesize
710KB

MD5
d429100a2621d0b5a9aef317263c9fbf

SHA1
5e755e2871aa2db12380dbe7de81a20683077e1e

SHA256
33d2485c5e80ccc5a8c94b74078a955a24af242f06441a9b8b15d569c4bde8b4

SHA512
daa3dae2ca46e25c6796fb4af0ef73884ed945f37967004bc4673bf6bbe9a448fb1539ebc9c50e6bed7cdf09cae98cbe3aa8e3a162960aae5dace57fc4c9765c

Download Submit
C:\Users\Admin\Desktop\UnlockDisable.vsdm.555-B4B-BE1
Filesize
1.1MB

MD5
fa18e5263d4a4e499aed8d579b5b7ba6

SHA1
b7f24eb859a299041b54653d0e9712957c4c8808

SHA256
73899e0839fc263818eba088883e128beb1288ad6bd4bd99bbb32626aee31ada

SHA512
8908c377c8e5bfc82d73ddd08438ef05506c29ff8f4ee1f0debe9f0d44c7f3ea0a09b10632dc7a0db2e0f722118dee8599453a94cad2a4fa8f81f60319c4cfad

Download Submit
C:\Users\Admin\Desktop\UnlockRepair.m4a.555-B4B-BE1
Filesize
575KB

MD5
ee016dc032183b3855f376922415cc51

SHA1
7812a19062704708409a4556c7473c0687dd77b1

SHA256
1e5e48229b7130d9f65710a94943708d4fa9e554468f893a4e7bc023de4eb7cb

SHA512
37a7d8bab79ec26a1a974bfff06700360dd7d4eada0d05788b23fff8e481987a1d944d9a55225387204ec528c46bf12dd63155a866747741ed04a106933ed950

Download Submit
C:\Users\Admin\Desktop\UpdateWatch.mp3.555-B4B-BE1
Filesize
879KB

MD5
913c46005e83e889160b26f47977372f

SHA1
41c33b0abddfe4a86894772305c5b43c7a66b691

SHA256
7f1fc89bbed2388446cc3d1d803de51ea1b7c2beea61da06b13a6bd9e3d30023

SHA512
2fec646a77523b0062bc9fdbac09e0aa2cb1a93168c05aa3116c8e471f88d4b95ec0ea59717285214f102b8f2d89f71576a2ec2a39a534518348293184bfd023

Download Submit
C:\Users\Admin\Desktop\UseEnable.rtf.555-B4B-BE1
Filesize
508KB

MD5
d4b7984577553a652a46a39dbc009f05

SHA1
27b6e8dfc307090669c47ba2e27b738bcf998a35

SHA256
b6bf35ff09b5249170c3d178984c06eacb05ccba49639634116fd3681c72b0ed

SHA512
9a639d6501f23e191c6bd8b300c350a5607d946b62d62dc4f0e70351bacf4c1aae99e1bde6af073e7fe827b5f57701cf609e5b44526981b1e714aea04157d1ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
211KB

MD5
298dcc1285045bc397ef95ec583901da

SHA1
0b983d8948b282a76bece44d61e9ac73f10cfd31

SHA256
56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754

SHA512
ef296ab179f5578d51ccbbe6b9194e1bd3fd46affa3a14be955e15994b6e902c01b467a962eb0d3548fe510f16c77c73d87bece92b15bc6f89c3e2dd4ffea94a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
211KB

MD5
298dcc1285045bc397ef95ec583901da

SHA1
0b983d8948b282a76bece44d61e9ac73f10cfd31

SHA256
56871e1fe3b6af154aadd2ab300f0bfc031aea4fab992dbaec57057459a0d754

SHA512
ef296ab179f5578d51ccbbe6b9194e1bd3fd46affa3a14be955e15994b6e902c01b467a962eb0d3548fe510f16c77c73d87bece92b15bc6f89c3e2dd4ffea94a

Download Submit
memory/396-69-0x0000000000000000-mapping.dmp

Download
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/1072-68-0x0000000000000000-mapping.dmp

Download
memory/1076-60-0x0000000000000000-mapping.dmp

Download
memory/1084-67-0x0000000000000000-mapping.dmp

Download
memory/1124-66-0x0000000000000000-mapping.dmp

Download
memory/1412-70-0x0000000000000000-mapping.dmp

Download
memory/1548-73-0x0000000000000000-mapping.dmp

Download
memory/1648-71-0x0000000000000000-mapping.dmp

Download
memory/1732-100-0x0000000000000000-mapping.dmp

Download
memory/1804-57-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1972-64-0x0000000000000000-mapping.dmp

Download
memory/2004-63-0x0000000000000000-mapping.dmp

Download
memory/2012-62-0x0000000000000000-mapping.dmp

Download
memory/2032-102-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads