zeppelin | ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

Analysis

max time kernel
153s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8090cb9a98392d753116e30e0be9f25a.exe
Size

216KB
MD5

8090cb9a98392d753116e30e0be9f25a
SHA1

1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f
SHA256

ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75
SHA512

dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd
SSDEEP

6144:UyJE1yd7WWlJmcyfwAPWna4DQFu/U3buRKlemZ9DnGAevIGS+:UU/d7WWKvhPWa4DQFu/U3buRKlemZ9DG

Score

10^/10

zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: [email protected] Alternative email: [email protected] Public emai:l [email protected] Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.

Emails

[email protected]

URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Signatures

Detects Zeppelin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000600000000b2d2-55.dat	family_zeppelin
behavioral1/files/0x000600000000b2d2-56.dat	family_zeppelin
behavioral1/files/0x000600000000b2d2-58.dat	family_zeppelin
behavioral1/files/0x000600000000b2d2-70.dat	family_zeppelin
behavioral1/files/0x000600000000b2d2-68.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid	Process
2012	taskeng.exe
1548	taskeng.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
552	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

8090cb9a98392d753116e30e0be9f25a.exe

pid	Process
1900	8090cb9a98392d753116e30e0be9f25a.exe
1900	8090cb9a98392d753116e30e0be9f25a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8090cb9a98392d753116e30e0be9f25a.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	8090cb9a98392d753116e30e0be9f25a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	8090cb9a98392d753116e30e0be9f25a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	Process
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hebron.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250997.WMF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ROAD_01.MID	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	taskeng.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01843_.GIF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK	taskeng.exe
File created	C:\Program Files\Internet Explorer\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	taskeng.exe
File created	C:\Program Files (x86)\Common Files\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLMACRO.CHM	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.v-society.D99-FF7-466	taskeng.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105332.WMF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18256_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195320.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Godthab	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.v-society.D99-FF7-466	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.v-society.D99-FF7-466	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1444	vssadmin.exe
1312	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskeng.exe

pid	Process
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe
2012	taskeng.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8090cb9a98392d753116e30e0be9f25a.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1900	8090cb9a98392d753116e30e0be9f25a.exe
Token: SeDebugPrivilege	1900	8090cb9a98392d753116e30e0be9f25a.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe
Token: 35	1176	WMIC.exe
Token: SeBackupPrivilege	1980	vssvc.exe
Token: SeRestorePrivilege	1980	vssvc.exe
Token: SeAuditPrivilege	1980	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

8090cb9a98392d753116e30e0be9f25a.exetaskeng.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1900 wrote to memory of 2012	1900	8090cb9a98392d753116e30e0be9f25a.exe	27
PID 1900 wrote to memory of 2012	1900	8090cb9a98392d753116e30e0be9f25a.exe	27
PID 1900 wrote to memory of 2012	1900	8090cb9a98392d753116e30e0be9f25a.exe	27
PID 1900 wrote to memory of 2012	1900	8090cb9a98392d753116e30e0be9f25a.exe	27
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 1900 wrote to memory of 552	1900	8090cb9a98392d753116e30e0be9f25a.exe	28
PID 2012 wrote to memory of 296	2012	taskeng.exe	29
PID 2012 wrote to memory of 296	2012	taskeng.exe	29
PID 2012 wrote to memory of 296	2012	taskeng.exe	29
PID 2012 wrote to memory of 296	2012	taskeng.exe	29
PID 2012 wrote to memory of 2020	2012	taskeng.exe	30
PID 2012 wrote to memory of 2020	2012	taskeng.exe	30
PID 2012 wrote to memory of 2020	2012	taskeng.exe	30
PID 2012 wrote to memory of 2020	2012	taskeng.exe	30
PID 2012 wrote to memory of 1132	2012	taskeng.exe	32
PID 2012 wrote to memory of 1132	2012	taskeng.exe	32
PID 2012 wrote to memory of 1132	2012	taskeng.exe	32
PID 2012 wrote to memory of 1132	2012	taskeng.exe	32
PID 2012 wrote to memory of 1696	2012	taskeng.exe	33
PID 2012 wrote to memory of 1696	2012	taskeng.exe	33
PID 2012 wrote to memory of 1696	2012	taskeng.exe	33
PID 2012 wrote to memory of 1696	2012	taskeng.exe	33
PID 2012 wrote to memory of 1148	2012	taskeng.exe	40
PID 2012 wrote to memory of 1148	2012	taskeng.exe	40
PID 2012 wrote to memory of 1148	2012	taskeng.exe	40
PID 2012 wrote to memory of 1148	2012	taskeng.exe	40
PID 2012 wrote to memory of 1820	2012	taskeng.exe	35
PID 2012 wrote to memory of 1820	2012	taskeng.exe	35
PID 2012 wrote to memory of 1820	2012	taskeng.exe	35
PID 2012 wrote to memory of 1820	2012	taskeng.exe	35
PID 2012 wrote to memory of 1548	2012	taskeng.exe	38
PID 2012 wrote to memory of 1548	2012	taskeng.exe	38
PID 2012 wrote to memory of 1548	2012	taskeng.exe	38
PID 2012 wrote to memory of 1548	2012	taskeng.exe	38
PID 1148 wrote to memory of 1444	1148	cmd.exe	41
PID 296 wrote to memory of 1732	296	cmd.exe	42
PID 296 wrote to memory of 1732	296	cmd.exe	42
PID 1148 wrote to memory of 1444	1148	cmd.exe	41
PID 1148 wrote to memory of 1444	1148	cmd.exe	41
PID 1148 wrote to memory of 1444	1148	cmd.exe	41
PID 296 wrote to memory of 1732	296	cmd.exe	42
PID 296 wrote to memory of 1732	296	cmd.exe	42
PID 1820 wrote to memory of 1176	1820	cmd.exe	45
PID 1820 wrote to memory of 1176	1820	cmd.exe	45
PID 1820 wrote to memory of 1176	1820	cmd.exe	45
PID 1820 wrote to memory of 1176	1820	cmd.exe	45
PID 1820 wrote to memory of 1312	1820	cmd.exe	47
PID 1820 wrote to memory of 1312	1820	cmd.exe	47
PID 1820 wrote to memory of 1312	1820	cmd.exe	47
PID 1820 wrote to memory of 1312	1820	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\8090cb9a98392d753116e30e0be9f25a.exe
"C:\Users\Admin\AppData\Local\Temp\8090cb9a98392d753116e30e0be9f25a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1176
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1312
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1444
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
memory/296-62-0x0000000000000000-mapping.dmp

Download
memory/552-60-0x0000000000000000-mapping.dmp

Download
memory/1132-64-0x0000000000000000-mapping.dmp

Download
memory/1148-66-0x0000000000000000-mapping.dmp

Download
memory/1176-75-0x0000000000000000-mapping.dmp

Download
memory/1312-76-0x0000000000000000-mapping.dmp

Download
memory/1444-73-0x0000000000000000-mapping.dmp

Download
memory/1548-69-0x0000000000000000-mapping.dmp

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download
memory/1732-72-0x0000000000000000-mapping.dmp

Download
memory/1820-67-0x0000000000000000-mapping.dmp

Download
memory/1900-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download
memory/2020-63-0x0000000000000000-mapping.dmp

Download