Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
dcef208fcdac3345c6899a478d16980f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dcef208fcdac3345c6899a478d16980f.exe
Resource
win10v2004-20240226-en
General
-
Target
dcef208fcdac3345c6899a478d16980f.exe
-
Size
416KB
-
MD5
dcef208fcdac3345c6899a478d16980f
-
SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
-
SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
-
SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba
-
SSDEEP
6144:iYdiLQNWloaXoLJYksETr0vpvejH6ols25A0LJjI4WHB/N7:BiLQqosgZs+8vejap0LJ6h
Malware Config
Extracted
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 22 IoCs
resource yara_rule behavioral2/memory/1176-2-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/1176-3-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/1176-24-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/1176-25-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3044-30-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3044-46-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3044-53-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3044-57-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3272-64-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-68-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3272-69-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-1470-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-2120-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-2400-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-2835-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-3328-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-5923-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-8072-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-8527-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-9912-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-11072-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral2/memory/3052-12137-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (3146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dcef208fcdac3345c6899a478d16980f.exe -
Deletes itself 1 IoCs
pid Process 1336 notepad.exe -
Executes dropped EXE 3 IoCs
pid Process 3044 spoolsv.exe 3052 spoolsv.exe 3272 spoolsv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start" dcef208fcdac3345c6899a478d16980f.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: spoolsv.exe File opened (read-only) \??\P: spoolsv.exe File opened (read-only) \??\M: spoolsv.exe File opened (read-only) \??\K: spoolsv.exe File opened (read-only) \??\H: spoolsv.exe File opened (read-only) \??\G: spoolsv.exe File opened (read-only) \??\X: spoolsv.exe File opened (read-only) \??\W: spoolsv.exe File opened (read-only) \??\T: spoolsv.exe File opened (read-only) \??\S: spoolsv.exe File opened (read-only) \??\R: spoolsv.exe File opened (read-only) \??\O: spoolsv.exe File opened (read-only) \??\J: spoolsv.exe File opened (read-only) \??\E: spoolsv.exe File opened (read-only) \??\B: spoolsv.exe File opened (read-only) \??\U: spoolsv.exe File opened (read-only) \??\I: spoolsv.exe File opened (read-only) \??\A: spoolsv.exe File opened (read-only) \??\Y: spoolsv.exe File opened (read-only) \??\V: spoolsv.exe File opened (read-only) \??\Q: spoolsv.exe File opened (read-only) \??\N: spoolsv.exe File opened (read-only) \??\L: spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 57 iplogger.org 55 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\THMBNAIL.PNG.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJHBD.TTC spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT spoolsv.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms spoolsv.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.kd8eby0.D4E-0BB-31D spoolsv.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML spoolsv.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt spoolsv.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt spoolsv.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM spoolsv.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.kd8eby0.D4E-0BB-31D spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms spoolsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1176 dcef208fcdac3345c6899a478d16980f.exe Token: SeDebugPrivilege 1176 dcef208fcdac3345c6899a478d16980f.exe Token: SeIncreaseQuotaPrivilege 1080 WMIC.exe Token: SeSecurityPrivilege 1080 WMIC.exe Token: SeTakeOwnershipPrivilege 1080 WMIC.exe Token: SeLoadDriverPrivilege 1080 WMIC.exe Token: SeSystemProfilePrivilege 1080 WMIC.exe Token: SeSystemtimePrivilege 1080 WMIC.exe Token: SeProfSingleProcessPrivilege 1080 WMIC.exe Token: SeIncreaseQuotaPrivilege 4004 WMIC.exe Token: SeIncBasePriorityPrivilege 1080 WMIC.exe Token: SeCreatePagefilePrivilege 1080 WMIC.exe Token: SeSecurityPrivilege 4004 WMIC.exe Token: SeBackupPrivilege 1080 WMIC.exe Token: SeTakeOwnershipPrivilege 4004 WMIC.exe Token: SeRestorePrivilege 1080 WMIC.exe Token: SeLoadDriverPrivilege 4004 WMIC.exe Token: SeShutdownPrivilege 1080 WMIC.exe Token: SeDebugPrivilege 1080 WMIC.exe Token: SeSystemProfilePrivilege 4004 WMIC.exe Token: SeSystemEnvironmentPrivilege 1080 WMIC.exe Token: SeSystemtimePrivilege 4004 WMIC.exe Token: SeRemoteShutdownPrivilege 1080 WMIC.exe Token: SeUndockPrivilege 1080 WMIC.exe Token: SeProfSingleProcessPrivilege 4004 WMIC.exe Token: SeManageVolumePrivilege 1080 WMIC.exe Token: SeIncBasePriorityPrivilege 4004 WMIC.exe Token: 33 1080 WMIC.exe Token: 34 1080 WMIC.exe Token: SeCreatePagefilePrivilege 4004 WMIC.exe Token: 35 1080 WMIC.exe Token: 36 1080 WMIC.exe Token: SeBackupPrivilege 4004 WMIC.exe Token: SeRestorePrivilege 4004 WMIC.exe Token: SeShutdownPrivilege 4004 WMIC.exe Token: SeDebugPrivilege 4004 WMIC.exe Token: SeSystemEnvironmentPrivilege 4004 WMIC.exe Token: SeRemoteShutdownPrivilege 4004 WMIC.exe Token: SeUndockPrivilege 4004 WMIC.exe Token: SeManageVolumePrivilege 4004 WMIC.exe Token: 33 4004 WMIC.exe Token: 34 4004 WMIC.exe Token: 35 4004 WMIC.exe Token: 36 4004 WMIC.exe Token: SeIncreaseQuotaPrivilege 1080 WMIC.exe Token: SeSecurityPrivilege 1080 WMIC.exe Token: SeTakeOwnershipPrivilege 1080 WMIC.exe Token: SeLoadDriverPrivilege 1080 WMIC.exe Token: SeSystemProfilePrivilege 1080 WMIC.exe Token: SeSystemtimePrivilege 1080 WMIC.exe Token: SeProfSingleProcessPrivilege 1080 WMIC.exe Token: SeIncBasePriorityPrivilege 1080 WMIC.exe Token: SeCreatePagefilePrivilege 1080 WMIC.exe Token: SeBackupPrivilege 1080 WMIC.exe Token: SeRestorePrivilege 1080 WMIC.exe Token: SeShutdownPrivilege 1080 WMIC.exe Token: SeDebugPrivilege 1080 WMIC.exe Token: SeSystemEnvironmentPrivilege 1080 WMIC.exe Token: SeRemoteShutdownPrivilege 1080 WMIC.exe Token: SeUndockPrivilege 1080 WMIC.exe Token: SeManageVolumePrivilege 1080 WMIC.exe Token: 33 1080 WMIC.exe Token: 34 1080 WMIC.exe Token: 35 1080 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1176 wrote to memory of 3044 1176 dcef208fcdac3345c6899a478d16980f.exe 101 PID 1176 wrote to memory of 3044 1176 dcef208fcdac3345c6899a478d16980f.exe 101 PID 1176 wrote to memory of 3044 1176 dcef208fcdac3345c6899a478d16980f.exe 101 PID 1176 wrote to memory of 1336 1176 dcef208fcdac3345c6899a478d16980f.exe 102 PID 1176 wrote to memory of 1336 1176 dcef208fcdac3345c6899a478d16980f.exe 102 PID 1176 wrote to memory of 1336 1176 dcef208fcdac3345c6899a478d16980f.exe 102 PID 1176 wrote to memory of 1336 1176 dcef208fcdac3345c6899a478d16980f.exe 102 PID 1176 wrote to memory of 1336 1176 dcef208fcdac3345c6899a478d16980f.exe 102 PID 1176 wrote to memory of 1336 1176 dcef208fcdac3345c6899a478d16980f.exe 102 PID 3044 wrote to memory of 2108 3044 spoolsv.exe 112 PID 3044 wrote to memory of 2108 3044 spoolsv.exe 112 PID 3044 wrote to memory of 2108 3044 spoolsv.exe 112 PID 3044 wrote to memory of 4488 3044 spoolsv.exe 113 PID 3044 wrote to memory of 4488 3044 spoolsv.exe 113 PID 3044 wrote to memory of 4488 3044 spoolsv.exe 113 PID 3044 wrote to memory of 4264 3044 spoolsv.exe 114 PID 3044 wrote to memory of 4264 3044 spoolsv.exe 114 PID 3044 wrote to memory of 4264 3044 spoolsv.exe 114 PID 3044 wrote to memory of 1596 3044 spoolsv.exe 115 PID 3044 wrote to memory of 1596 3044 spoolsv.exe 115 PID 3044 wrote to memory of 1596 3044 spoolsv.exe 115 PID 3044 wrote to memory of 1712 3044 spoolsv.exe 116 PID 3044 wrote to memory of 1712 3044 spoolsv.exe 116 PID 3044 wrote to memory of 1712 3044 spoolsv.exe 116 PID 3044 wrote to memory of 3588 3044 spoolsv.exe 117 PID 3044 wrote to memory of 3588 3044 spoolsv.exe 117 PID 3044 wrote to memory of 3588 3044 spoolsv.exe 117 PID 3044 wrote to memory of 3052 3044 spoolsv.exe 118 PID 3044 wrote to memory of 3052 3044 spoolsv.exe 118 PID 3044 wrote to memory of 3052 3044 spoolsv.exe 118 PID 3044 wrote to memory of 3272 3044 spoolsv.exe 119 PID 3044 wrote to memory of 3272 3044 spoolsv.exe 119 PID 3044 wrote to memory of 3272 3044 spoolsv.exe 119 PID 3588 wrote to memory of 1080 3588 cmd.exe 126 PID 2108 wrote to memory of 4004 2108 cmd.exe 127 PID 3588 wrote to memory of 1080 3588 cmd.exe 126 PID 2108 wrote to memory of 4004 2108 cmd.exe 127 PID 2108 wrote to memory of 4004 2108 cmd.exe 127 PID 3588 wrote to memory of 1080 3588 cmd.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcef208fcdac3345c6899a478d16980f.exe"C:\Users\Admin\AppData\Local\Temp\dcef208fcdac3345c6899a478d16980f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:4488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:4264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:1596
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3052
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 13⤵
- Executes dropped EXE
PID:3272
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3988 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:1860
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
975B
MD503091bcd2d9c58559355f57e140eb815
SHA1ed88c2371e126f182364a8a800fe42ece164137f
SHA256bc6ca416e9e3ce3129eef762551b26538a1025c12d12fcf0c91f393f666ec24e
SHA512fb8150a5cbf1f18de3b345333382dd2a9f889dc66d212c41655f6ed01883f5448c2cba5c8f57491af72ac6660a3e3e4874ee23e06655cc09e3a8c7becd884c93
-
Filesize
292KB
MD5e3acab4805ccd56cb45f5313693c57a5
SHA12fd9631981a4e9d364fcbf203f86c5ca07ffeff0
SHA2564436a46de735e153b9ad3bc80aa26e6a0fbbed8341713f077bdc96348df4d9ec
SHA512ce50f13867d9e7d4a0cd900828bfba0774ed3cdba3a24b00d957564d2c0b2e7d0723546366e3afcec5aec9e051ceeff65df350203ff79c296c5ed6cb58445924
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
Filesize44KB
MD5cd028acc33e7fbe52af5732b307390c2
SHA126b80c775861e175bbc004cadd41d08955fcfd32
SHA25676470013bb8706f13f9973d903051529f0e61801fa5790d59cf6c35cc1020e8f
SHA5129772b1a4d88b921a1b9c91be399a4ace446468d3450c7f99ad386e3f15fe1f888bea60572690dfb77d8866e540643bfd4450a1dcdcdf7669965cf8048835dc3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize2KB
MD511d71c970ccf0e5af1a11cb5e15d9fc9
SHA15cfbda5675975a7d691101a9096cd9d42c964b4c
SHA2563f37c40cc9fbf51ffff7a4147d81398cde110a815e5fa7894d04dcb883d6fc1d
SHA51203b6de82dbec27d4b7ca2226f30ed949091969533460f9e2d6f4162d44e4cd6c5d1d8be567b268c0935c71fe06b509001a6c9404595eef8cb2f8c5808d47e632
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize472B
MD538cfeb9a4a7c8007273ead650b17d7b0
SHA1f1bdff77349e0a1b0554b39e1480191a6593668d
SHA256d71077717606050c4571f0933f95ac9b4cc40e8fd3a724e2728132a94750b587
SHA5128734e86451ad7c657b54dc1ccce25bfcf49d1459634d2b2f4e65f5bdf1ab243042304fbbd3e9d7560bfc6397a33d5d09681694e6a363497b77f0b9b4e6ff5ad5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD54bbdeccef77d0216c7c85aa8ce6fd456
SHA1a8e6ece2829f7a721d5e02c7e37d30c0ee584105
SHA256d4c20a525b2cb0035944212b76b0573779ec672ea64b72679dafebdf7c44a6dc
SHA5127a5cbcde4e7d2a952f9bc846e29326b53166592224af39d3b67dd6f602a9cc77c2e4d97929823e4329ce1b6557a6df5f437dffe18f4ed93b85f97dd81105d6e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize484B
MD5001a0cd5a14a48eb4515a7574b4cb890
SHA1f6e5f65be73025b0b4c166812dffcfe262879da2
SHA25684b35f2544ad01a8ada68c1d8c930a1f08bdb87680b62814b26af28d72277543
SHA512d912a27bf8727bba1429a24ba98687c0f94ce5d2a84bedcae286d8991175859ec1ab9c9ce07c261390ccc4048a8dd98a6ab7ab9a4acfb062931fdc90c06c6aeb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize488B
MD5e7f0e3cc68b87e0328f4e62c3ec58ff5
SHA1a2ac148082b99e197ca21cb271c565f279a8646b
SHA256122c070dbdbb3736506d53998b5812168bf9166ba810083f5adc5da1677d6d3b
SHA5122b18b0a3bd9a6fb6606ebcfdd7af37e3d41d98eb9e4be8b5ae662f2c703413a1140fc5b7a8ac75feae47fdde4398dbacdd5a0d324588dccce5400e2aef5d1278
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD565fe9011d043b0ba00b4d612f627fd37
SHA16bd56625d3e7e57b34a58328b63562a7e949c01b
SHA256c9329bd4273a53d65d04f20e02d4e1ca23031b1f89e538ff86e22f7169b92211
SHA51261e886497f6ab409c68ca36798a37a835bc0bfe2db8bacf6cfe00ec2f87f0cb28f329c049f6a5ba30c9e2805f5dd2703d23470f64e8803db6eab790770d8cbd2
-
Filesize
190B
MD56ebbeb8c70d5f8ffc3fb501950468594
SHA1c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA51275cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c
-
Filesize
18KB
MD5d86c179bcfbd66e883f47019ea1ca200
SHA1c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8
SHA256b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea
SHA512d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f
-
Filesize
406B
MD5ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
Filesize
416KB
MD5dcef208fcdac3345c6899a478d16980f
SHA1fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA51228e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba
-
Filesize
513B
MD58bff8f7ec2dee0630915c750011b1bad
SHA13f37e6bc23aba846bffa9d510bfd03024af53c73
SHA256aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3
SHA512e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe
-
Filesize
82KB
MD579f0589d1c70aa9ed392682103db4622
SHA1268581f9a6c5fcd2a45b1833e9c01a694f99db78
SHA2567c08f579d10dfc9ec9d12b5a93957cbdf90df9225b4e220116b8bc87acdacc5e
SHA512fb2cb6e6073ebbd481ce2aba580f8d66a3f961947f380ced66c5518bb1962a0d96a8aa2fad0175dbb94c27ffa13d8cf2b11d4c0bb38767b30b0fe74e9c9951c9