buran | 41d6fb7f590167acde5cb8d7f3c38fcdc0bcc4c33027b594003967b18e761101

Analysis

max time kernel
231s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
Size

189KB
MD5

f1ebb4dbdfc6ec7a53bcefabdc7fb6de
SHA1

b76bc50249e7420ac0f4f64e83d1a58da2068eaa
SHA256

bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
SHA512

8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788
SSDEEP

3072:t3blGV9hulKmhbfvjv69vF6nHynNPFW7Lifa81Hh7Gl8emNiq8q/f+2L:t3bq9UlKgPuEyNFWSb1Hg6l8q/ffL

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\WE CAN RECOVER YOUR DATA.txt

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8 and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Your personal ID: F2F22DBB Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Executes dropped EXE 1 IoCs

pid	Process
1116	nrnkgirn.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DisconnectClose.tiff	nrnkgirn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nrnkgirn.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	nrnkgirn.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	nrnkgirn.exe
File opened (read-only)	\??\Z:	nrnkgirn.exe
File opened (read-only)	\??\A:	nrnkgirn.exe
File opened (read-only)	\??\Q:	nrnkgirn.exe
File opened (read-only)	\??\S:	nrnkgirn.exe
File opened (read-only)	\??\W:	nrnkgirn.exe
File opened (read-only)	\??\Y:	nrnkgirn.exe
File opened (read-only)	\??\I:	nrnkgirn.exe
File opened (read-only)	\??\K:	nrnkgirn.exe
File opened (read-only)	\??\M:	nrnkgirn.exe
File opened (read-only)	\??\O:	nrnkgirn.exe
File opened (read-only)	\??\R:	nrnkgirn.exe
File opened (read-only)	\??\T:	nrnkgirn.exe
File opened (read-only)	\??\X:	nrnkgirn.exe
File opened (read-only)	\??\B:	nrnkgirn.exe
File opened (read-only)	\??\F:	nrnkgirn.exe
File opened (read-only)	\??\H:	nrnkgirn.exe
File opened (read-only)	\??\L:	nrnkgirn.exe
File opened (read-only)	\??\N:	nrnkgirn.exe
File opened (read-only)	\??\V:	nrnkgirn.exe
File opened (read-only)	\??\E:	nrnkgirn.exe
File opened (read-only)	\??\G:	nrnkgirn.exe
File opened (read-only)	\??\J:	nrnkgirn.exe
File opened (read-only)	\??\P:	nrnkgirn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms	nrnkgirn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20.png	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\bulletin_board_construction.js	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png	nrnkgirn.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	nrnkgirn.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\ui-strings.js	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Connecting_Loud.m4a	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-200.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt.[F2F22DBB].sonickwall	nrnkgirn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-256.png	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Get_Started_icon.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.[F2F22DBB].sonickwall	nrnkgirn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleUtilRT.winmd	nrnkgirn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30_altform-unplated.png	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[F2F22DBB].sonickwall	nrnkgirn.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-black.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\dashboard_slomo_OFF.png	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml	nrnkgirn.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUAUTH.CAB	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-125.png	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js	nrnkgirn.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\lpcstrings.json	nrnkgirn.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\FacebookDialog.xbf	nrnkgirn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\WE CAN RECOVER YOUR DATA.txt	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	nrnkgirn.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js	nrnkgirn.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.bfc.[F2F22DBB].sonickwall	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	nrnkgirn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxManifest.xml	nrnkgirn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe
1116	nrnkgirn.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1116	nrnkgirn.exe
Token: SeBackupPrivilege	2360	vssvc.exe
Token: SeRestorePrivilege	2360	vssvc.exe
Token: SeAuditPrivilege	2360	vssvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1116	2024	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	84
PID 2024 wrote to memory of 1116	2024	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	84
PID 2024 wrote to memory of 1116	2024	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	84
PID 1116 wrote to memory of 4640	1116	nrnkgirn.exe	93
PID 1116 wrote to memory of 4640	1116	nrnkgirn.exe	93
PID 1116 wrote to memory of 4640	1116	nrnkgirn.exe	93
PID 4640 wrote to memory of 3808	4640	cmd.exe	95
PID 4640 wrote to memory of 3808	4640	cmd.exe	95
PID 4640 wrote to memory of 3808	4640	cmd.exe	95
PID 1116 wrote to memory of 4728	1116	nrnkgirn.exe	104
PID 1116 wrote to memory of 4728	1116	nrnkgirn.exe	104
PID 1116 wrote to memory of 4728	1116	nrnkgirn.exe	104
PID 4728 wrote to memory of 4540	4728	cmd.exe	106
PID 4728 wrote to memory of 4540	4728	cmd.exe	106
PID 4728 wrote to memory of 4540	4728	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
"C:\Users\Admin\AppData\Local\Temp\bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2024
- C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe
  "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C CSCRIPT.EXE //E:JScript "C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\cscript.exe
      CSCRIPT.EXE //E:JScript "C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS"
      4⤵
      PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c for /l %i in (1,1,1000) do (ping -n 2 localhost & del "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe" & if not exist "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe" exit)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 localhost
      4⤵
      Runs ping.exe
      PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe

Filesize
189KB

MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de

SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa

SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb

SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788

Download Submit
C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe

Filesize
189KB

MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de

SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa

SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb

SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS

Filesize
175B

MD5
98a1a4dbdf75466df301906093847417

SHA1
3e8c7656887496694512e118795f4d28894d8f6e

SHA256
7f8367fc0177355741b1def74b2f1d81d99571f674a014896478815c9fb4d3bd

SHA512
d61cd7cbc63e28189a800efa46f82c5f4a1e513dc945b65e57d4a79308c04ab86945dd48249190456caa582891377e4e75ba678d4b28c28d4d0656d87d31519b

Download Submit