Analysis
-
max time kernel
60s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 04:14
Static task
static1
Behavioral task
behavioral1
Sample
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
-
Size
710KB
-
MD5
7a668b5ec9a34afa512e471a20b8f932
-
SHA1
e53653edc907842c577b3c6dda208a60b409ced8
-
SHA256
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29
-
SHA512
f98ab8477997c01c17031d1312293626032e600f8af8081b0aee07176b15fe91ae305e4c4e48ed30491ae0e3a374347c5bfcf804c3315b1e8b18efadf3107789
-
SSDEEP
3072:ybG7N2kDTHUpouu2IbN0PFBleIW8fB6NYTL:ybE/HUG2KN0h7xsN4L
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\scoped_dir2860_1454984972\CRX_INSTALL\_locales\az\readme-warning.txt
makop
noctua0302@goat.si
pecunia0318@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 2360 wbadmin.exe -
Loads dropped DLL 2 IoCs
Processes:
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exeb7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exepid process 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe 1344 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exedescription pid process target process PID 3244 set thread context of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash@2x.gif b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-modules.xml b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@2x.png b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White@2x.png b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.INF b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\readme-warning.txt b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4208 3244 WerFault.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe 116 1344 WerFault.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3940 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exepid process 2264 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe 2264 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exepid process 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe Token: SeBackupPrivilege 2024 wbengine.exe Token: SeRestorePrivilege 2024 wbengine.exe Token: SeSecurityPrivilege 2024 wbengine.exe Token: SeIncreaseQuotaPrivilege 4944 WMIC.exe Token: SeSecurityPrivilege 4944 WMIC.exe Token: SeTakeOwnershipPrivilege 4944 WMIC.exe Token: SeLoadDriverPrivilege 4944 WMIC.exe Token: SeSystemProfilePrivilege 4944 WMIC.exe Token: SeSystemtimePrivilege 4944 WMIC.exe Token: SeProfSingleProcessPrivilege 4944 WMIC.exe Token: SeIncBasePriorityPrivilege 4944 WMIC.exe Token: SeCreatePagefilePrivilege 4944 WMIC.exe Token: SeBackupPrivilege 4944 WMIC.exe Token: SeRestorePrivilege 4944 WMIC.exe Token: SeShutdownPrivilege 4944 WMIC.exe Token: SeDebugPrivilege 4944 WMIC.exe Token: SeSystemEnvironmentPrivilege 4944 WMIC.exe Token: SeRemoteShutdownPrivilege 4944 WMIC.exe Token: SeUndockPrivilege 4944 WMIC.exe Token: SeManageVolumePrivilege 4944 WMIC.exe Token: 33 4944 WMIC.exe Token: 34 4944 WMIC.exe Token: 35 4944 WMIC.exe Token: 36 4944 WMIC.exe Token: SeIncreaseQuotaPrivilege 4944 WMIC.exe Token: SeSecurityPrivilege 4944 WMIC.exe Token: SeTakeOwnershipPrivilege 4944 WMIC.exe Token: SeLoadDriverPrivilege 4944 WMIC.exe Token: SeSystemProfilePrivilege 4944 WMIC.exe Token: SeSystemtimePrivilege 4944 WMIC.exe Token: SeProfSingleProcessPrivilege 4944 WMIC.exe Token: SeIncBasePriorityPrivilege 4944 WMIC.exe Token: SeCreatePagefilePrivilege 4944 WMIC.exe Token: SeBackupPrivilege 4944 WMIC.exe Token: SeRestorePrivilege 4944 WMIC.exe Token: SeShutdownPrivilege 4944 WMIC.exe Token: SeDebugPrivilege 4944 WMIC.exe Token: SeSystemEnvironmentPrivilege 4944 WMIC.exe Token: SeRemoteShutdownPrivilege 4944 WMIC.exe Token: SeUndockPrivilege 4944 WMIC.exe Token: SeManageVolumePrivilege 4944 WMIC.exe Token: 33 4944 WMIC.exe Token: 34 4944 WMIC.exe Token: 35 4944 WMIC.exe Token: 36 4944 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exeb7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.execmd.exedescription pid process target process PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 3244 wrote to memory of 2264 3244 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe PID 2264 wrote to memory of 1028 2264 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe cmd.exe PID 2264 wrote to memory of 1028 2264 b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe cmd.exe PID 1028 wrote to memory of 3940 1028 cmd.exe vssadmin.exe PID 1028 wrote to memory of 3940 1028 cmd.exe vssadmin.exe PID 1028 wrote to memory of 2360 1028 cmd.exe wbadmin.exe PID 1028 wrote to memory of 2360 1028 cmd.exe wbadmin.exe PID 1028 wrote to memory of 4944 1028 cmd.exe WMIC.exe PID 1028 wrote to memory of 4944 1028 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe"C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exeﮅ2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe"C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe" n22643⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exeﮅ4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 8164⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 9602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3244 -ip 32441⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1344 -ip 13441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\134245471Filesize
541.9MB
MD5588922a8eb5dd8a45122d47831d29c4a
SHA19cfe8d35c5da7a1d5f25299be53e3ab533ff6136
SHA256afe9b6109056037aead159b8fa504ee8467da7429e4f57990c2eeb0af4010d96
SHA5124a31540c11137bba433a85d41b339e051c96e3a4389e59a7d701ed68aa415e469d31f0ad743b6798ef47274592d5604d6945883ac72d90aa0882c7aaa120982b
-
C:\Users\Admin\AppData\Local\Temp\134245471Filesize
491.4MB
MD5c2651d91e199c6263753d98bc022ed8f
SHA1f18febc6ffd854ed929641e4ffb81c10483373fa
SHA256a7d42f4605a0018336c5bfc88ed06569da7861d7d6c319846f267babe692d81a
SHA512942d10bd38218c7726c3f1cf943effe05bc9a38babeb9e60d7c55940322542c4fbec019a9e203aed5f10c6a43bd7e6f13bf515616c37486ed22f64268c394038
-
C:\Users\Admin\AppData\Local\Temp\nso832B.tmp\System.dllFilesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
C:\Users\Admin\AppData\Local\Temp\nso832B.tmp\System.dllFilesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
C:\Users\Admin\AppData\Local\Temp\nsv800.tmp\System.dllFilesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2860_1454984972\CRX_INSTALL\_locales\az\readme-warning.txtFilesize
1KB
MD5c254df13320f69aefb6a254fdb7bef85
SHA1ae3164c12530922d64e814b7f852e5448ad69642
SHA256b7252a98bcf4060b737b2fb5781f61b8250a348b3d774dbb4612abadcd30d166
SHA5128f6a910b0d4a47422fd82043ff9792b8641aa4c935923b435078ab0113a806ccb156d12d2d00a5930c920d3cfb3c6e611d56de0b08921d38e63dd8dfbaa8f4dd
-
memory/2264-602-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2264-143-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2264-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2264-17405-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2264-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2264-20601-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4300-9933-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4300-9942-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB