zeppelin | ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

Analysis

max time kernel
156s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2022 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8090cb9a98392d753116e30e0be9f25a.exe
Size

216KB
MD5

8090cb9a98392d753116e30e0be9f25a
SHA1

1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f
SHA256

ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75
SHA512

dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd
SSDEEP

6144:UyJE1yd7WWlJmcyfwAPWna4DQFu/U3buRKlemZ9DnGAevIGS+:UU/d7WWKvhPWa4DQFu/U3buRKlemZ9DG

Score

10^/10

zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: [email protected] Alternative email: [email protected] Public emai:l [email protected] Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.

Emails

[email protected]

URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Signatures

Detects Zeppelin payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000d000000022f5a-133.dat	family_zeppelin
behavioral2/files/0x000d000000022f5a-134.dat	family_zeppelin
behavioral2/files/0x000d000000022f5a-143.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid	Process
4928	services.exe
1780	services.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8090cb9a98392d753116e30e0be9f25a.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8090cb9a98392d753116e30e0be9f25a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8090cb9a98392d753116e30e0be9f25a.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	8090cb9a98392d753116e30e0be9f25a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	8090cb9a98392d753116e30e0be9f25a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	Process
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\H:	services.exe

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC	services.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe.v-society.D99-FF7-466	services.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\NOTICE	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.v-society.D99-FF7-466	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.v-society.D99-FF7-466	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

services.exe

pid	Process
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe
4928	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8090cb9a98392d753116e30e0be9f25a.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4284	8090cb9a98392d753116e30e0be9f25a.exe
Token: SeDebugPrivilege	4284	8090cb9a98392d753116e30e0be9f25a.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: 36	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe
Token: SeBackupPrivilege	4220	WMIC.exe
Token: SeRestorePrivilege	4220	WMIC.exe
Token: SeShutdownPrivilege	4220	WMIC.exe
Token: SeDebugPrivilege	4220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4220	WMIC.exe
Token: SeRemoteShutdownPrivilege	4220	WMIC.exe
Token: SeUndockPrivilege	4220	WMIC.exe
Token: SeManageVolumePrivilege	4220	WMIC.exe
Token: 33	4220	WMIC.exe
Token: 34	4220	WMIC.exe
Token: 35	4220	WMIC.exe
Token: 36	4220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe
Token: SeBackupPrivilege	4220	WMIC.exe
Token: SeRestorePrivilege	4220	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

8090cb9a98392d753116e30e0be9f25a.exeservices.execmd.execmd.exe

description	pid	Process	procid_target
PID 4284 wrote to memory of 4928	4284	8090cb9a98392d753116e30e0be9f25a.exe	79
PID 4284 wrote to memory of 4928	4284	8090cb9a98392d753116e30e0be9f25a.exe	79
PID 4284 wrote to memory of 4928	4284	8090cb9a98392d753116e30e0be9f25a.exe	79
PID 4284 wrote to memory of 5032	4284	8090cb9a98392d753116e30e0be9f25a.exe	80
PID 4284 wrote to memory of 5032	4284	8090cb9a98392d753116e30e0be9f25a.exe	80
PID 4284 wrote to memory of 5032	4284	8090cb9a98392d753116e30e0be9f25a.exe	80
PID 4284 wrote to memory of 5032	4284	8090cb9a98392d753116e30e0be9f25a.exe	80
PID 4284 wrote to memory of 5032	4284	8090cb9a98392d753116e30e0be9f25a.exe	80
PID 4284 wrote to memory of 5032	4284	8090cb9a98392d753116e30e0be9f25a.exe	80
PID 4928 wrote to memory of 4592	4928	services.exe	81
PID 4928 wrote to memory of 4592	4928	services.exe	81
PID 4928 wrote to memory of 4592	4928	services.exe	81
PID 4928 wrote to memory of 648	4928	services.exe	82
PID 4928 wrote to memory of 648	4928	services.exe	82
PID 4928 wrote to memory of 648	4928	services.exe	82
PID 4928 wrote to memory of 3632	4928	services.exe	83
PID 4928 wrote to memory of 3632	4928	services.exe	83
PID 4928 wrote to memory of 3632	4928	services.exe	83
PID 4928 wrote to memory of 4628	4928	services.exe	84
PID 4928 wrote to memory of 4628	4928	services.exe	84
PID 4928 wrote to memory of 4628	4928	services.exe	84
PID 4928 wrote to memory of 4432	4928	services.exe	85
PID 4928 wrote to memory of 4432	4928	services.exe	85
PID 4928 wrote to memory of 4432	4928	services.exe	85
PID 4928 wrote to memory of 1944	4928	services.exe	86
PID 4928 wrote to memory of 1944	4928	services.exe	86
PID 4928 wrote to memory of 1944	4928	services.exe	86
PID 4928 wrote to memory of 1780	4928	services.exe	87
PID 4928 wrote to memory of 1780	4928	services.exe	87
PID 4928 wrote to memory of 1780	4928	services.exe	87
PID 4592 wrote to memory of 4220	4592	cmd.exe	94
PID 4592 wrote to memory of 4220	4592	cmd.exe	94
PID 4592 wrote to memory of 4220	4592	cmd.exe	94
PID 1944 wrote to memory of 1680	1944	cmd.exe	95
PID 1944 wrote to memory of 1680	1944	cmd.exe	95
PID 1944 wrote to memory of 1680	1944	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\8090cb9a98392d753116e30e0be9f25a.exe
"C:\Users\Admin\AppData\Local\Temp\8090cb9a98392d753116e30e0be9f25a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1780
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:5032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
216KB

MD5
8090cb9a98392d753116e30e0be9f25a

SHA1
1f45a5e3dc88e363fd6ff83d52a6a2e4ddd8951f

SHA256
ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

SHA512
dede19a2dd8c314617c448ad785e24b511f76eecd4dcc40b1ce2a034ef57a536fc0c6f74209685f73219974b200008b1d4127783ea5738e07b2306e13db6f7dd

Download Submit
memory/648-137-0x0000000000000000-mapping.dmp

Download
memory/1680-146-0x0000000000000000-mapping.dmp

Download
memory/1780-142-0x0000000000000000-mapping.dmp

Download
memory/1944-141-0x0000000000000000-mapping.dmp

Download
memory/3632-138-0x0000000000000000-mapping.dmp

Download
memory/4220-145-0x0000000000000000-mapping.dmp

Download
memory/4432-140-0x0000000000000000-mapping.dmp

Download
memory/4592-136-0x0000000000000000-mapping.dmp

Download
memory/4628-139-0x0000000000000000-mapping.dmp

Download
memory/4928-132-0x0000000000000000-mapping.dmp

Download
memory/5032-135-0x0000000000000000-mapping.dmp

Download