Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2022, 06:02
Behavioral task
behavioral1
Sample
dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe
Resource
win10v2004-20221111-en
General
-
Target
dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe
-
Size
396KB
-
MD5
6a956731b3677dd9d4d18641d40532ab
-
SHA1
1994ee0b381c5528d5b5c01fb97a14b5ff81e5a5
-
SHA256
dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309
-
SHA512
314d87605dfe01cfb83a8b6ff17e98fc933f012ef933557d1899ebf0941d892a37f0d0692d99a3cd7061ce6c2c90a6dafe7b8dbb80ae875d9c368529f0b87991
-
SSDEEP
1536:n28VgV1U8ZGURVFB3eH/omAhUfKQnSz+jS7ddpjHXSeSv3caALL95T:28VgV1UqGgVFBKo8ybdz
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3928 created 4480 3928 svchost.exe 81 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 2568 wbadmin.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ClearSearch.tiff dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Users\Admin\Pictures\DenyConvertFrom.tiff dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Users\Admin\Pictures\StepJoin.tiff dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxManifest.xml dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-36_altform-lightunplated.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-unplated.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\readme-warning.txt dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\az.pak.DATA dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Large.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ko.pak dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlOuterCircle.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_contrast-white.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ProjectedApi.winmd dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-125.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-36_altform-unplated.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\readme-warning.txt dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-200.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-400.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-unplated.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-125.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\readme-warning.txt dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.Tests.ps1 dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36.png dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\readme-warning.txt dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1564 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4480 dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe 4480 dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTcbPrivilege 3928 svchost.exe Token: SeTcbPrivilege 3928 svchost.exe Token: SeBackupPrivilege 620 vssvc.exe Token: SeRestorePrivilege 620 vssvc.exe Token: SeAuditPrivilege 620 vssvc.exe Token: SeBackupPrivilege 1172 wbengine.exe Token: SeRestorePrivilege 1172 wbengine.exe Token: SeSecurityPrivilege 1172 wbengine.exe Token: SeIncreaseQuotaPrivilege 5092 WMIC.exe Token: SeSecurityPrivilege 5092 WMIC.exe Token: SeTakeOwnershipPrivilege 5092 WMIC.exe Token: SeLoadDriverPrivilege 5092 WMIC.exe Token: SeSystemProfilePrivilege 5092 WMIC.exe Token: SeSystemtimePrivilege 5092 WMIC.exe Token: SeProfSingleProcessPrivilege 5092 WMIC.exe Token: SeIncBasePriorityPrivilege 5092 WMIC.exe Token: SeCreatePagefilePrivilege 5092 WMIC.exe Token: SeBackupPrivilege 5092 WMIC.exe Token: SeRestorePrivilege 5092 WMIC.exe Token: SeShutdownPrivilege 5092 WMIC.exe Token: SeDebugPrivilege 5092 WMIC.exe Token: SeSystemEnvironmentPrivilege 5092 WMIC.exe Token: SeRemoteShutdownPrivilege 5092 WMIC.exe Token: SeUndockPrivilege 5092 WMIC.exe Token: SeManageVolumePrivilege 5092 WMIC.exe Token: 33 5092 WMIC.exe Token: 34 5092 WMIC.exe Token: 35 5092 WMIC.exe Token: 36 5092 WMIC.exe Token: SeIncreaseQuotaPrivilege 5092 WMIC.exe Token: SeSecurityPrivilege 5092 WMIC.exe Token: SeTakeOwnershipPrivilege 5092 WMIC.exe Token: SeLoadDriverPrivilege 5092 WMIC.exe Token: SeSystemProfilePrivilege 5092 WMIC.exe Token: SeSystemtimePrivilege 5092 WMIC.exe Token: SeProfSingleProcessPrivilege 5092 WMIC.exe Token: SeIncBasePriorityPrivilege 5092 WMIC.exe Token: SeCreatePagefilePrivilege 5092 WMIC.exe Token: SeBackupPrivilege 5092 WMIC.exe Token: SeRestorePrivilege 5092 WMIC.exe Token: SeShutdownPrivilege 5092 WMIC.exe Token: SeDebugPrivilege 5092 WMIC.exe Token: SeSystemEnvironmentPrivilege 5092 WMIC.exe Token: SeRemoteShutdownPrivilege 5092 WMIC.exe Token: SeUndockPrivilege 5092 WMIC.exe Token: SeManageVolumePrivilege 5092 WMIC.exe Token: 33 5092 WMIC.exe Token: 34 5092 WMIC.exe Token: 35 5092 WMIC.exe Token: 36 5092 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 3928 wrote to memory of 4320 3928 svchost.exe 83 PID 4480 wrote to memory of 4916 4480 dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe 84 PID 4480 wrote to memory of 4916 4480 dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe 84 PID 4916 wrote to memory of 1564 4916 cmd.exe 86 PID 4916 wrote to memory of 1564 4916 cmd.exe 86 PID 4916 wrote to memory of 2568 4916 cmd.exe 89 PID 4916 wrote to memory of 2568 4916 cmd.exe 89 PID 4916 wrote to memory of 5092 4916 cmd.exe 93 PID 4916 wrote to memory of 5092 4916 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe"C:\Users\Admin\AppData\Local\Temp\dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe"C:\Users\Admin\AppData\Local\Temp\dc4bb89a5e91280cb1fcf1d87f8616fe3cc283159c8babb240b437d2e1e5a309.exe" n44802⤵PID:4320
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1564
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2568
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2240
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3700