Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-10-2022 07:29
Behavioral task
behavioral1
Sample
0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe
Resource
win10v2004-20220812-en
General
-
Target
0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe
-
Size
215KB
-
MD5
a58d761d66e5045c1b5d10b823b90afe
-
SHA1
1fd48eabec99f127231deab1c36abd640e93f226
-
SHA256
0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501
-
SHA512
4ff1a1229c6bbb1a54e52d79486cbb66b4d62ee56d5161b96805dd5f2e386100db3cc49245e32aab7a0b2e0542cc1d6c96e42fe9c7f982fa70aef7b1f7d2a94e
-
SSDEEP
6144:PyJE1yd7WEJmcyf70PWna4DQFu/U3buRKlemZ9DnGAevIX+:PU/d7WRvIPWa4DQFu/U3buRKlemZ9DnI
Malware Config
Extracted
C:\ALL YOUR FILES ARE ENCRYPTED.txt
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\V: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\M: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\L: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\H: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\F: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\A: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\Y: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\Q: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\O: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\J: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\I: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\G: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\W: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\T: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\R: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\N: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\E: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\Z: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\U: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\S: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\P: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\K: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened (read-only) \??\B: 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\ALL YOUR FILES ARE ENCRYPTED.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Gaza 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\ALL YOUR FILES ARE ENCRYPTED.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File created C:\Program Files\Java\jre7\lib\ALL YOUR FILES ARE ENCRYPTED.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\ALL YOUR FILES ARE ENCRYPTED.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\ALL YOUR FILES ARE ENCRYPTED.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\ALL YOUR FILES ARE ENCRYPTED.txt 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\EditRestart.php 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll.bbd2.BCC-E95-D79 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 316 vssadmin.exe 1676 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: SeIncreaseQuotaPrivilege 1980 WMIC.exe Token: SeSecurityPrivilege 1980 WMIC.exe Token: SeTakeOwnershipPrivilege 1980 WMIC.exe Token: SeLoadDriverPrivilege 1980 WMIC.exe Token: SeSystemProfilePrivilege 1980 WMIC.exe Token: SeSystemtimePrivilege 1980 WMIC.exe Token: SeProfSingleProcessPrivilege 1980 WMIC.exe Token: SeIncBasePriorityPrivilege 1980 WMIC.exe Token: SeCreatePagefilePrivilege 1980 WMIC.exe Token: SeBackupPrivilege 1980 WMIC.exe Token: SeRestorePrivilege 1980 WMIC.exe Token: SeShutdownPrivilege 1980 WMIC.exe Token: SeDebugPrivilege 1980 WMIC.exe Token: SeSystemEnvironmentPrivilege 1980 WMIC.exe Token: SeRemoteShutdownPrivilege 1980 WMIC.exe Token: SeUndockPrivilege 1980 WMIC.exe Token: SeManageVolumePrivilege 1980 WMIC.exe Token: 33 1980 WMIC.exe Token: 34 1980 WMIC.exe Token: 35 1980 WMIC.exe Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: SeIncreaseQuotaPrivilege 1980 WMIC.exe Token: SeSecurityPrivilege 1980 WMIC.exe Token: SeTakeOwnershipPrivilege 1980 WMIC.exe Token: SeLoadDriverPrivilege 1980 WMIC.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 832 wrote to memory of 1488 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 28 PID 832 wrote to memory of 1488 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 28 PID 832 wrote to memory of 1488 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 28 PID 832 wrote to memory of 1488 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 28 PID 832 wrote to memory of 892 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 29 PID 832 wrote to memory of 892 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 29 PID 832 wrote to memory of 892 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 29 PID 832 wrote to memory of 892 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 29 PID 832 wrote to memory of 1416 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 31 PID 832 wrote to memory of 1416 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 31 PID 832 wrote to memory of 1416 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 31 PID 832 wrote to memory of 1416 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 31 PID 832 wrote to memory of 1712 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 32 PID 832 wrote to memory of 1712 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 32 PID 832 wrote to memory of 1712 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 32 PID 832 wrote to memory of 1712 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 32 PID 832 wrote to memory of 1136 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 37 PID 832 wrote to memory of 1136 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 37 PID 832 wrote to memory of 1136 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 37 PID 832 wrote to memory of 1136 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 37 PID 832 wrote to memory of 1828 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 38 PID 832 wrote to memory of 1828 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 38 PID 832 wrote to memory of 1828 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 38 PID 832 wrote to memory of 1828 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 38 PID 1488 wrote to memory of 1980 1488 cmd.exe 35 PID 1488 wrote to memory of 1980 1488 cmd.exe 35 PID 1488 wrote to memory of 1980 1488 cmd.exe 35 PID 1488 wrote to memory of 1980 1488 cmd.exe 35 PID 832 wrote to memory of 2016 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 39 PID 832 wrote to memory of 2016 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 39 PID 832 wrote to memory of 2016 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 39 PID 832 wrote to memory of 2016 832 0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe 39 PID 1828 wrote to memory of 1948 1828 cmd.exe 42 PID 1828 wrote to memory of 1948 1828 cmd.exe 42 PID 1828 wrote to memory of 1948 1828 cmd.exe 42 PID 1828 wrote to memory of 1948 1828 cmd.exe 42 PID 1136 wrote to memory of 316 1136 cmd.exe 43 PID 1136 wrote to memory of 316 1136 cmd.exe 43 PID 1136 wrote to memory of 316 1136 cmd.exe 43 PID 1136 wrote to memory of 316 1136 cmd.exe 43 PID 1828 wrote to memory of 1676 1828 cmd.exe 46 PID 1828 wrote to memory of 1676 1828 cmd.exe 46 PID 1828 wrote to memory of 1676 1828 cmd.exe 46 PID 1828 wrote to memory of 1676 1828 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe"C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵PID:892
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1416
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:316
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1676
-
-
-
C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe"C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe" -agent 02⤵
- Drops file in Program Files directory
PID:2016
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406B
MD5ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9