makop | a6566bc4c76a36a0e880d2151e0a86a59c3af57082b7c83a669dba3f28afb959

Analysis

max time kernel
98s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.4018.10238.exe
Size

853KB
MD5

d26afd54021ba871403b3c6ba520e4ae
SHA1

a7f2167bb9748122f72e751b98c80c317f1e6af9
SHA256

a6566bc4c76a36a0e880d2151e0a86a59c3af57082b7c83a669dba3f28afb959
SHA512

4459ee49492a151c00771a8b3ec4fc8aae919c860c3679fda4d8c63ca973055290ed5d9e928a2080049cf27f63190c9a3ce68b20d984291837327f2684e7b206
SSDEEP

24576:7Syo/l/4X2EM3GdNsFiKZqzYvqi/NmZrRV/tJ:caXNM2PBKZAsAZrRVVJ

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
700	wbadmin.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe
952	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1784	2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe	26
PID 952 set thread context of 856	952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	33

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\HxRuntime.HxS	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02262_.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts2.css	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql70.xsl	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\MeasureUnpublish.rtf	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths.[E74B9C41].[[email protected]].gamigin	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\PREVIEW.GIF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1392	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1784	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe
952	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe
Token: SeBackupPrivilege	2012	wbengine.exe
Token: SeRestorePrivilege	2012	wbengine.exe
Token: SeSecurityPrivilege	2012	wbengine.exe
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe
Token: SeSystemProfilePrivilege	928	WMIC.exe
Token: SeSystemtimePrivilege	928	WMIC.exe
Token: SeProfSingleProcessPrivilege	928	WMIC.exe
Token: SeIncBasePriorityPrivilege	928	WMIC.exe
Token: SeCreatePagefilePrivilege	928	WMIC.exe
Token: SeBackupPrivilege	928	WMIC.exe
Token: SeRestorePrivilege	928	WMIC.exe
Token: SeShutdownPrivilege	928	WMIC.exe
Token: SeDebugPrivilege	928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	928	WMIC.exe
Token: SeRemoteShutdownPrivilege	928	WMIC.exe
Token: SeUndockPrivilege	928	WMIC.exe
Token: SeManageVolumePrivilege	928	WMIC.exe
Token: 33	928	WMIC.exe
Token: 34	928	WMIC.exe
Token: 35	928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe
Token: SeSystemProfilePrivilege	928	WMIC.exe
Token: SeSystemtimePrivilege	928	WMIC.exe
Token: SeProfSingleProcessPrivilege	928	WMIC.exe
Token: SeIncBasePriorityPrivilege	928	WMIC.exe
Token: SeCreatePagefilePrivilege	928	WMIC.exe
Token: SeBackupPrivilege	928	WMIC.exe
Token: SeRestorePrivilege	928	WMIC.exe
Token: SeShutdownPrivilege	928	WMIC.exe
Token: SeDebugPrivilege	928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	928	WMIC.exe
Token: SeRemoteShutdownPrivilege	928	WMIC.exe
Token: SeUndockPrivilege	928	WMIC.exe
Token: SeManageVolumePrivilege	928	WMIC.exe
Token: 33	928	WMIC.exe
Token: 34	928	WMIC.exe
Token: 35	928	WMIC.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1784	2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe	26
PID 2044 wrote to memory of 1784	2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe	26
PID 2044 wrote to memory of 1784	2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe	26
PID 2044 wrote to memory of 1784	2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe	26
PID 2044 wrote to memory of 1784	2044	SecuriteInfo.com.FileRepMalware.4018.10238.exe	26
PID 1784 wrote to memory of 1664	1784	SecuriteInfo.com.FileRepMalware.4018.10238.exe	28
PID 1784 wrote to memory of 1664	1784	SecuriteInfo.com.FileRepMalware.4018.10238.exe	28
PID 1784 wrote to memory of 1664	1784	SecuriteInfo.com.FileRepMalware.4018.10238.exe	28
PID 1784 wrote to memory of 1664	1784	SecuriteInfo.com.FileRepMalware.4018.10238.exe	28
PID 1664 wrote to memory of 1392	1664	cmd.exe	30
PID 1664 wrote to memory of 1392	1664	cmd.exe	30
PID 1664 wrote to memory of 1392	1664	cmd.exe	30
PID 952 wrote to memory of 856	952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	33
PID 952 wrote to memory of 856	952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	33
PID 952 wrote to memory of 856	952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	33
PID 952 wrote to memory of 856	952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	33
PID 952 wrote to memory of 856	952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	33
PID 1664 wrote to memory of 700	1664	cmd.exe	34
PID 1664 wrote to memory of 700	1664	cmd.exe	34
PID 1664 wrote to memory of 700	1664	cmd.exe	34
PID 1664 wrote to memory of 928	1664	cmd.exe	38
PID 1664 wrote to memory of 928	1664	cmd.exe	38
PID 1664 wrote to memory of 928	1664	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe" n1784
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe" n1784
      4⤵
      PID:856
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1392
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\681096313

Filesize
645KB

MD5
470cc9935c68fd64655ccb51d5d0d731

SHA1
cba611dbd1f784c0bffa64720181327004b23653

SHA256
fcc3cf71d0be88e485e9c3e19adc64438b038562643aac3e52aa98e82280d8b6

SHA512
f363c352bc41d81fcbb1095b0e0c784fcf23053f70156d5495db065871d99df87ce1dac40a0d5740fdac5608f538c6647d1e8053ae3bd6152c618e18665e2ee6

Download Submit
C:\Users\Admin\AppData\Roaming\681096313

Filesize
645KB

MD5
3482ac1df177ded3b658886999c7d1d3

SHA1
9552b6c9245eb6d3301a624b6ae3b2d3e6157691

SHA256
392398c45c732f8d427d2956e890fd6fb08eabfeaa111922c31f151746089f3a

SHA512
9394ae2ec60b3927e01c336750112c099fd7b1fc7a11e1349491c5edba7f1cf8ac7b3e30ac75d9bc7098005a8ae186f1143d675e3faca53a8676e1782b01f6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

Filesize
1KB

MD5
8b5739f9e9db0520d549d21858911087

SHA1
771044f9f8771851f25113c0110cd8deabcfeac6

SHA256
b1d59d8a1efe4a9471553b0499563edb0695c44f50a09137470a8988f57f1302

SHA512
3c74cea93dec3d61919c74de9fb77245e5fdca36298857243c97411205b4ab39ce9b1edbf3cdb6bd4099d438302093ccaeceb9ac3668f9981d9d23c735d0eadf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

Filesize
1KB

MD5
976e1203f06a12f2f31291a6ca9e3ae5

SHA1
450a028de55a8de57c74e8c9b3229e5af5dac8a8

SHA256
97c6b5c6e6548860a83fbc24300cf62bbd993773508d574b3703e5da2ba40c35

SHA512
8fd10392bfb050e4fd74d30fe0b278ce1945d8f9ecc1e5b7e21f8c91a5e0856371d857acbf3ee416f16b3d8e75bd08dd91c663ca371e17f67219c9570f471d29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

Filesize
1KB

MD5
b9567d1067d08dce1fd8648354736408

SHA1
acb7d576494d871310330406436fb2e30c56dde7

SHA256
a09d4071374b98083d001d0d9997ed76bc307de4182b18cf45637a910aaccabf

SHA512
1c6bf66845ec83044ce22e80c9c0bb271eb7d695b10871ab7dddabe058c954058f24942f7c69e9d848c954f7aaf9f4f530075071842fd4a3a752b5f3b44f48d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

Filesize
1KB

MD5
195e24fe45e442e38fb77fd07dab258e

SHA1
d0970fbe1820dd8c89c90ec8ce0782f5d841cac8

SHA256
5d0990ca968e24c72d589c9a3fe20a25e2b40a79bee7d839428c0a3b49f23021

SHA512
ef5081641384c86b06fa496b57391818812cbb3869300418b4d3bf22cdc9cd001e20264ab470afde24d25e1996565d6c12b9cac4b6e64c7eaeceb0ef654d01a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3A92.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nso58AD.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/700-69-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/856-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/856-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download