Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 15:53
Behavioral task
behavioral1
Sample
267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe
Resource
win7-20231215-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe
-
Size
34KB
-
MD5
fc5456389ec7e0142df678aadde7fdb5
-
SHA1
833f4e36b4adbe00d06a846d1035585ec269a078
-
SHA256
267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97
-
SHA512
40cd72a52fae2b5db6bb7814cf910adbf4497b7a0ec36c313eae6d5406633ab5d3907d0e24560a759f947450a487747c6d7d9f3607c2234135cad770ed8e1407
-
SSDEEP
768:sNOkmJUpM2VA1dvLALUt2UBQNHXWYNZQluDRkOwT3OKFANi:sBmJ0VA1JA9ouZNZJRUOKFB
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt
Family
makop
Ransom Note
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in bitcoins.
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: You can write us to our mailbox: [email protected]
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I don�t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8235) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2824 wbadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jre7\lib\management\snmp.acl.template 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CSD 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\OutUse.xls 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BOMB.WAV 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\readme-warning.txt 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293828.WMF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3020 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2192 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe Token: SeBackupPrivilege 2584 wbengine.exe Token: SeRestorePrivilege 2584 wbengine.exe Token: SeSecurityPrivilege 2584 wbengine.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1080 2192 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe 29 PID 2192 wrote to memory of 1080 2192 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe 29 PID 2192 wrote to memory of 1080 2192 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe 29 PID 2192 wrote to memory of 1080 2192 267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe 29 PID 1080 wrote to memory of 3020 1080 cmd.exe 31 PID 1080 wrote to memory of 3020 1080 cmd.exe 31 PID 1080 wrote to memory of 3020 1080 cmd.exe 31 PID 1080 wrote to memory of 2824 1080 cmd.exe 34 PID 1080 wrote to memory of 2824 1080 cmd.exe 34 PID 1080 wrote to memory of 2824 1080 cmd.exe 34 PID 1080 wrote to memory of 2724 1080 cmd.exe 38 PID 1080 wrote to memory of 2724 1080 cmd.exe 38 PID 1080 wrote to memory of 2724 1080 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe"C:\Users\Admin\AppData\Local\Temp\267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe"C:\Users\Admin\AppData\Local\Temp\267f4251888e56ee84029a34e56fcceb63940f75fa563b20e1a7267806049a97.exe" n21922⤵PID:1148
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3020
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2824
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2600
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5570f5d3f73d6f35f1d35f2ab27d5d539
SHA17e304510914feaac03282a9d589109ac35e7b75a
SHA2566dba66d136807f225d86d9ddd897469df5f6a055ca4657bb2aef39ba306fab2d
SHA512dd23d0a856d9c2646a0124fb354a14e3bfba8aebcd7bd7a066bdf7452d46809771645eafb55bf4d0b338c607c6da5b2882b0300f4f8a52793ba56cbdbef02fcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f6f51af489363ea92dcb098147516e42
SHA1a4e1a143f517ac89845ff80d5f0594b7c3525e0a
SHA256c91ddd820e34ed39ea359ac410a7145944e0569acdf478a5c682c8c48aead72c
SHA5122342f0264c7fd420c2dc5a3b207b66432b9a853763956b85382caed144d581ac6fb301b0aac72f8cc2c72a990f7f23fa1cb5a5a014082f1a456ab899e4580d5e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06