zeppelin | 8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

Analysis

max time kernel
262s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Size

218KB
MD5

b8845a76e3942ff4d20ba4660ae926bb
SHA1

eb90f945087c270a2ecc11753180ba4ecc270696
SHA256

8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee
SHA512

9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc
SSDEEP

6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012300-55.dat	family_zeppelin
behavioral1/files/0x000c000000012300-56.dat	family_zeppelin
behavioral1/files/0x000c000000012300-58.dat	family_zeppelin
behavioral1/files/0x000c000000012300-68.dat	family_zeppelin
behavioral1/files/0x000c000000012300-70.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1280	services.exe
832	services.exe

Deletes itself 1 IoCs

pid	Process
1860	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\Y:	services.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.ORCA.262-5C1-7E5	services.exe
File created	C:\Program Files\DVD Maker\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST	services.exe
File opened for modification	C:\Program Files\ExportUndo.mp3.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.ORCA.262-5C1-7E5	services.exe
File created	C:\Program Files\7-Zip\Lang\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.ORCA.262-5C1-7E5	services.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\ProtectCompress.eps.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik	services.exe
File opened for modification	C:\Program Files\MountDeny.wm	services.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit	services.exe
File opened for modification	C:\Program Files\SendSuspend.wmv.ORCA.262-5C1-7E5	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.ORCA.262-5C1-7E5	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1540	vssadmin.exe
1596	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe
1280	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Token: SeDebugPrivilege	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1280	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	28
PID 1172 wrote to memory of 1280	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	28
PID 1172 wrote to memory of 1280	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	28
PID 1172 wrote to memory of 1280	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	28
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1172 wrote to memory of 1860	1172	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	29
PID 1280 wrote to memory of 1388	1280	services.exe	30
PID 1280 wrote to memory of 1388	1280	services.exe	30
PID 1280 wrote to memory of 1388	1280	services.exe	30
PID 1280 wrote to memory of 1388	1280	services.exe	30
PID 1280 wrote to memory of 1660	1280	services.exe	32
PID 1280 wrote to memory of 1660	1280	services.exe	32
PID 1280 wrote to memory of 1660	1280	services.exe	32
PID 1280 wrote to memory of 1660	1280	services.exe	32
PID 1280 wrote to memory of 704	1280	services.exe	34
PID 1280 wrote to memory of 704	1280	services.exe	34
PID 1280 wrote to memory of 704	1280	services.exe	34
PID 1280 wrote to memory of 704	1280	services.exe	34
PID 1280 wrote to memory of 840	1280	services.exe	35
PID 1280 wrote to memory of 840	1280	services.exe	35
PID 1280 wrote to memory of 840	1280	services.exe	35
PID 1280 wrote to memory of 840	1280	services.exe	35
PID 1280 wrote to memory of 1716	1280	services.exe	37
PID 1280 wrote to memory of 1716	1280	services.exe	37
PID 1280 wrote to memory of 1716	1280	services.exe	37
PID 1280 wrote to memory of 1716	1280	services.exe	37
PID 1280 wrote to memory of 1216	1280	services.exe	42
PID 1280 wrote to memory of 1216	1280	services.exe	42
PID 1280 wrote to memory of 1216	1280	services.exe	42
PID 1280 wrote to memory of 1216	1280	services.exe	42
PID 1280 wrote to memory of 832	1280	services.exe	41
PID 1280 wrote to memory of 832	1280	services.exe	41
PID 1280 wrote to memory of 832	1280	services.exe	41
PID 1280 wrote to memory of 832	1280	services.exe	41
PID 1716 wrote to memory of 1540	1716	cmd.exe	44
PID 1716 wrote to memory of 1540	1716	cmd.exe	44
PID 1716 wrote to memory of 1540	1716	cmd.exe	44
PID 1716 wrote to memory of 1540	1716	cmd.exe	44
PID 1388 wrote to memory of 1628	1388	cmd.exe	43
PID 1388 wrote to memory of 1628	1388	cmd.exe	43
PID 1388 wrote to memory of 1628	1388	cmd.exe	43
PID 1388 wrote to memory of 1628	1388	cmd.exe	43
PID 1216 wrote to memory of 2020	1216	cmd.exe	46
PID 1216 wrote to memory of 2020	1216	cmd.exe	46
PID 1216 wrote to memory of 2020	1216	cmd.exe	46
PID 1216 wrote to memory of 2020	1216	cmd.exe	46
PID 1216 wrote to memory of 1596	1216	cmd.exe	48
PID 1216 wrote to memory of 1596	1216	cmd.exe	48
PID 1216 wrote to memory of 1596	1216	cmd.exe	48
PID 1216 wrote to memory of 1596	1216	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
"C:\Users\Admin\AppData\Local\Temp\8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1540
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1596
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
521B

MD5
8a55e9dcda6d9b5b2a7c0ecaccf13068

SHA1
4804d35c80a15f7d63c3a143aa26778391537e2b

SHA256
db6cd89149e838122410fd50253ce2460444dea299d5c49b1a2f97b561b0d749

SHA512
c849477241bc950994dd85387f51be5e050604c7d46f10c4b9fb3bc7e308d658a08a7f3aa0b691eefb5fac2baaf7a5dd799bb159758b600e4f8d332329b44e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
memory/1172-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download