makop | 7c67f47bb89ea053ca8266465ccb54dd3e9251684ac7d1c5001752237ef0f133

Analysis

max time kernel
59s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
Size

264KB
MD5

90144b44265dd72a22ccadf0824966a1
SHA1

ce53459dcaed4c66140994f039bff0626ea3930c
SHA256

808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c
SHA512

655888571e37fe79441ae3320b8bc7fafa14dcb4d13c14d27a9e7129d3f567bac4564463af3a84e185c877316412c057a2fbb6be6d5b8e4c4eac5feb7f27575e
SSDEEP

3072:nomnzVincQDKgcVsVKmOKsuWoZGbfYgqh2jT9KNp0BjY8n:ntZSSf31lBn

Score

10^/10

makop ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\2267484497\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
848	wbadmin.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1936	1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	26
PID 1700 set thread context of 1988	1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	40

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00011_.GIF	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01173_.WMF	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.[277CAB3B].[[email protected]].gamigin	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Godthab	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.[277CAB3B].[[email protected]].gamigin	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\readme-warning.txt	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1448	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1936	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe
Token: SeBackupPrivilege	1056	wbengine.exe
Token: SeRestorePrivilege	1056	wbengine.exe
Token: SeSecurityPrivilege	1056	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1936	1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	26
PID 1992 wrote to memory of 1936	1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	26
PID 1992 wrote to memory of 1936	1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	26
PID 1992 wrote to memory of 1936	1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	26
PID 1992 wrote to memory of 1936	1992	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	26
PID 1936 wrote to memory of 1516	1936	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	28
PID 1936 wrote to memory of 1516	1936	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	28
PID 1936 wrote to memory of 1516	1936	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	28
PID 1936 wrote to memory of 1516	1936	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	28
PID 1516 wrote to memory of 1448	1516	cmd.exe	30
PID 1516 wrote to memory of 1448	1516	cmd.exe	30
PID 1516 wrote to memory of 1448	1516	cmd.exe	30
PID 1516 wrote to memory of 848	1516	cmd.exe	33
PID 1516 wrote to memory of 848	1516	cmd.exe	33
PID 1516 wrote to memory of 848	1516	cmd.exe	33
PID 1516 wrote to memory of 1688	1516	cmd.exe	37
PID 1516 wrote to memory of 1688	1516	cmd.exe	37
PID 1516 wrote to memory of 1688	1516	cmd.exe	37
PID 1700 wrote to memory of 1988	1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	40
PID 1700 wrote to memory of 1988	1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	40
PID 1700 wrote to memory of 1988	1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	40
PID 1700 wrote to memory of 1988	1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	40
PID 1700 wrote to memory of 1988	1700	808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe	40

C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
"C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
  "C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
    "C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe" n1936
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
      "C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe" n1936
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1448
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:108

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\161452845

Filesize
59KB

MD5
c6bbf34c59750f22ad145cfce9e44bab

SHA1
b756b5de979616095e41f2a0f6c69745a9a3339e

SHA256
3859372399eb5138c8915ea46bb6e0d6fd6bfbcbaf5ad1a4889a1b612664826c

SHA512
3a3371dcbc6eada3ee6caa626d62e9ce3cd8424d65a5c20ccbc4781914967820364ec0d35a1e9824730a1f8434c3c17610b4507a197049cbc3a80ea057327fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\161452845

Filesize
59KB

MD5
38a0d3842858bfa55249dc8df995106a

SHA1
413063c16dd68de394c2c1ec008468222f4cf0e4

SHA256
2f583c2780d5af44e88b27c9445ac1e877cde27f03bd1876bd82847d1f948d5b

SHA512
8504153895c37b33b63d317c3cfaf57d4c751f8eada1dd97da1b9de9b8ed43e7ab760b0030075adbffcf9dca994010b89199a8f6ae7e4865eec284b4984c6676

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

Filesize
1KB

MD5
848612a4e7ac45d6d6c6f1b6c97e3ebf

SHA1
77deaec6ea456c99ec86094601d3b7eb5f98d23c

SHA256
57c8412e3686ad4958f78a78a302c3eb89412a3319bb6eb7666cbc497f9bd602

SHA512
e9099968ae083525c6ae29f99eb801190c78430da662fe9ea36ff3684442335d82cd4909f889ddafd121483346312661801d40ba2935a27980d95ff6f7856ffc

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CA3.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
\Users\Admin\AppData\Local\Temp\nst845E.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/848-67-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download
memory/1936-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1936-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1988-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1988-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download