Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
Resource
win10v2004-20220812-en
General
-
Target
808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe
-
Size
264KB
-
MD5
90144b44265dd72a22ccadf0824966a1
-
SHA1
ce53459dcaed4c66140994f039bff0626ea3930c
-
SHA256
808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c
-
SHA512
655888571e37fe79441ae3320b8bc7fafa14dcb4d13c14d27a9e7129d3f567bac4564463af3a84e185c877316412c057a2fbb6be6d5b8e4c4eac5feb7f27575e
-
SSDEEP
3072:nomnzVincQDKgcVsVKmOKsuWoZGbfYgqh2jT9KNp0BjY8n:ntZSSf31lBn
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\4039503062\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 112 created 4256 112 svchost.exe 87 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 616 wbadmin.exe -
Loads dropped DLL 2 IoCs
pid Process 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2124 set thread context of 4256 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 87 PID 216 set thread context of 3760 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 103 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.svg 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-100.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\XboxNotificationLogo.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJHBD.TTC 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-400.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-150.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-white.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\VideoWhatsNewItems.json 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare-2x.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-high.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\rename.svg 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\readme-warning.txt 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-black.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-125.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\readme-warning.txt 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\plugin.js 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-48_contrast-black.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\readme-warning.txt 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-125.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_CatEye.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-125.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-200.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\readme-warning.txt 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-400.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64_altform-unplated.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-150.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\readme-warning.txt 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\readme-warning.txt 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3732 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4256 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 4256 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTcbPrivilege 112 svchost.exe Token: SeTcbPrivilege 112 svchost.exe Token: SeBackupPrivilege 3528 vssvc.exe Token: SeRestorePrivilege 3528 vssvc.exe Token: SeAuditPrivilege 3528 vssvc.exe Token: SeBackupPrivilege 4520 wbengine.exe Token: SeRestorePrivilege 4520 wbengine.exe Token: SeSecurityPrivilege 4520 wbengine.exe Token: SeIncreaseQuotaPrivilege 2256 WMIC.exe Token: SeSecurityPrivilege 2256 WMIC.exe Token: SeTakeOwnershipPrivilege 2256 WMIC.exe Token: SeLoadDriverPrivilege 2256 WMIC.exe Token: SeSystemProfilePrivilege 2256 WMIC.exe Token: SeSystemtimePrivilege 2256 WMIC.exe Token: SeProfSingleProcessPrivilege 2256 WMIC.exe Token: SeIncBasePriorityPrivilege 2256 WMIC.exe Token: SeCreatePagefilePrivilege 2256 WMIC.exe Token: SeBackupPrivilege 2256 WMIC.exe Token: SeRestorePrivilege 2256 WMIC.exe Token: SeShutdownPrivilege 2256 WMIC.exe Token: SeDebugPrivilege 2256 WMIC.exe Token: SeSystemEnvironmentPrivilege 2256 WMIC.exe Token: SeRemoteShutdownPrivilege 2256 WMIC.exe Token: SeUndockPrivilege 2256 WMIC.exe Token: SeManageVolumePrivilege 2256 WMIC.exe Token: 33 2256 WMIC.exe Token: 34 2256 WMIC.exe Token: 35 2256 WMIC.exe Token: 36 2256 WMIC.exe Token: SeIncreaseQuotaPrivilege 2256 WMIC.exe Token: SeSecurityPrivilege 2256 WMIC.exe Token: SeTakeOwnershipPrivilege 2256 WMIC.exe Token: SeLoadDriverPrivilege 2256 WMIC.exe Token: SeSystemProfilePrivilege 2256 WMIC.exe Token: SeSystemtimePrivilege 2256 WMIC.exe Token: SeProfSingleProcessPrivilege 2256 WMIC.exe Token: SeIncBasePriorityPrivilege 2256 WMIC.exe Token: SeCreatePagefilePrivilege 2256 WMIC.exe Token: SeBackupPrivilege 2256 WMIC.exe Token: SeRestorePrivilege 2256 WMIC.exe Token: SeShutdownPrivilege 2256 WMIC.exe Token: SeDebugPrivilege 2256 WMIC.exe Token: SeSystemEnvironmentPrivilege 2256 WMIC.exe Token: SeRemoteShutdownPrivilege 2256 WMIC.exe Token: SeUndockPrivilege 2256 WMIC.exe Token: SeManageVolumePrivilege 2256 WMIC.exe Token: 33 2256 WMIC.exe Token: 34 2256 WMIC.exe Token: 35 2256 WMIC.exe Token: 36 2256 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4256 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 87 PID 2124 wrote to memory of 4256 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 87 PID 2124 wrote to memory of 4256 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 87 PID 2124 wrote to memory of 4256 2124 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 87 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 112 wrote to memory of 216 112 svchost.exe 89 PID 4256 wrote to memory of 964 4256 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 90 PID 4256 wrote to memory of 964 4256 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 90 PID 964 wrote to memory of 3732 964 cmd.exe 92 PID 964 wrote to memory of 3732 964 cmd.exe 92 PID 964 wrote to memory of 616 964 cmd.exe 95 PID 964 wrote to memory of 616 964 cmd.exe 95 PID 964 wrote to memory of 2256 964 cmd.exe 99 PID 964 wrote to memory of 2256 964 cmd.exe 99 PID 216 wrote to memory of 3760 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 103 PID 216 wrote to memory of 3760 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 103 PID 216 wrote to memory of 3760 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 103 PID 216 wrote to memory of 3760 216 808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe" n42563⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe"C:\Users\Admin\AppData\Local\Temp\808b82686bcce67e36cd4176b077fcb7e29b7ffc340d02e5e051b179a0eb660c.exe" n42564⤵PID:3760
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3732
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:616
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1444
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5c6bbf34c59750f22ad145cfce9e44bab
SHA1b756b5de979616095e41f2a0f6c69745a9a3339e
SHA2563859372399eb5138c8915ea46bb6e0d6fd6bfbcbaf5ad1a4889a1b612664826c
SHA5123a3371dcbc6eada3ee6caa626d62e9ce3cd8424d65a5c20ccbc4781914967820364ec0d35a1e9824730a1f8434c3c17610b4507a197049cbc3a80ea057327fbb
-
Filesize
59KB
MD5e4570a9656f3f2e5027ea4f6df8f01f5
SHA107c07b50a4f5184fde9cfca120c27aa73c2163a5
SHA256a9a5efb3cb54cdddc8b7be1a3c53feb36ee9203c99519da77414e7a6b7b7b493
SHA512321de9548eb4a41b15ebc46aa8eb2833af2dc66ec792098c860256bb3e4b1e31a80b35659db3b7187c500511cdbb76b9d9c5cf5373be503ef8834cedfda64720
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
1KB
MD5475f71bbd9f61a2910ed76a28b4d043b
SHA1a750771cb8f3fe34f968775daa1e14e3ab26602e
SHA2567c9f905106cb1088fa2189ba195acdcbe28278249bd0548c3346d67659d6e62f
SHA512747dfe3db782959637cf0102837a00526bcaa8af702546b8fa08a6f5385d5474caef8d2a15b82e75abf11d423bbc7d6aa0011fffb883ae04669a2c2031b649cc