Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
General
-
Target
2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
-
Size
103KB
-
MD5
72df7fd0854935ba0b5e07f723589392
-
SHA1
d628cb84d232f83dcd291e43ff079fb481290a7d
-
SHA256
2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183
-
SHA512
12dfc847064842207c3b87119145fb50ebd647f9eb6ef997ad47c1f5e451f2f2033635169aed28a8f6288f718fbce56d8a67c2178dd26dc016de52bed2520e67
-
SSDEEP
3072:vomnzVincQDKgcp3bsOW+NMY7sDti0dP0L0nLn:vtZVsyNMYytiFL4j
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8728) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2244 wbadmin.exe -
Loads dropped DLL 2 IoCs
pid Process 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 iplogger.org 5 iplogger.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1848 set thread context of 2776 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 30 PID 2816 set thread context of 2388 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 43 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zCon.sfx 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Windows Journal\Templates\Music.jtp 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18226_.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Swift_Current 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\readme-warning.txt 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.INF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02950_.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\readme-warning.txt 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Technic.thmx 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297725.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\background.gif 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL.IDX_DLL 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\readme-warning.txt 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00120_.GIF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\OliveGreen.css 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2152 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2776 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2720 vssvc.exe Token: SeRestorePrivilege 2720 vssvc.exe Token: SeAuditPrivilege 2720 vssvc.exe Token: SeBackupPrivilege 2272 wbengine.exe Token: SeRestorePrivilege 2272 wbengine.exe Token: SeSecurityPrivilege 2272 wbengine.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe Token: SeTakeOwnershipPrivilege 2748 WMIC.exe Token: SeLoadDriverPrivilege 2748 WMIC.exe Token: SeSystemProfilePrivilege 2748 WMIC.exe Token: SeSystemtimePrivilege 2748 WMIC.exe Token: SeProfSingleProcessPrivilege 2748 WMIC.exe Token: SeIncBasePriorityPrivilege 2748 WMIC.exe Token: SeCreatePagefilePrivilege 2748 WMIC.exe Token: SeBackupPrivilege 2748 WMIC.exe Token: SeRestorePrivilege 2748 WMIC.exe Token: SeShutdownPrivilege 2748 WMIC.exe Token: SeDebugPrivilege 2748 WMIC.exe Token: SeSystemEnvironmentPrivilege 2748 WMIC.exe Token: SeRemoteShutdownPrivilege 2748 WMIC.exe Token: SeUndockPrivilege 2748 WMIC.exe Token: SeManageVolumePrivilege 2748 WMIC.exe Token: 33 2748 WMIC.exe Token: 34 2748 WMIC.exe Token: 35 2748 WMIC.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe Token: SeTakeOwnershipPrivilege 2748 WMIC.exe Token: SeLoadDriverPrivilege 2748 WMIC.exe Token: SeSystemProfilePrivilege 2748 WMIC.exe Token: SeSystemtimePrivilege 2748 WMIC.exe Token: SeProfSingleProcessPrivilege 2748 WMIC.exe Token: SeIncBasePriorityPrivilege 2748 WMIC.exe Token: SeCreatePagefilePrivilege 2748 WMIC.exe Token: SeBackupPrivilege 2748 WMIC.exe Token: SeRestorePrivilege 2748 WMIC.exe Token: SeShutdownPrivilege 2748 WMIC.exe Token: SeDebugPrivilege 2748 WMIC.exe Token: SeSystemEnvironmentPrivilege 2748 WMIC.exe Token: SeRemoteShutdownPrivilege 2748 WMIC.exe Token: SeUndockPrivilege 2748 WMIC.exe Token: SeManageVolumePrivilege 2748 WMIC.exe Token: 33 2748 WMIC.exe Token: 34 2748 WMIC.exe Token: 35 2748 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2776 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 30 PID 1848 wrote to memory of 2776 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 30 PID 1848 wrote to memory of 2776 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 30 PID 1848 wrote to memory of 2776 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 30 PID 1848 wrote to memory of 2776 1848 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 30 PID 2776 wrote to memory of 2780 2776 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 32 PID 2776 wrote to memory of 2780 2776 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 32 PID 2776 wrote to memory of 2780 2776 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 32 PID 2776 wrote to memory of 2780 2776 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 32 PID 2780 wrote to memory of 2152 2780 cmd.exe 34 PID 2780 wrote to memory of 2152 2780 cmd.exe 34 PID 2780 wrote to memory of 2152 2780 cmd.exe 34 PID 2780 wrote to memory of 2244 2780 cmd.exe 37 PID 2780 wrote to memory of 2244 2780 cmd.exe 37 PID 2780 wrote to memory of 2244 2780 cmd.exe 37 PID 2780 wrote to memory of 2748 2780 cmd.exe 41 PID 2780 wrote to memory of 2748 2780 cmd.exe 41 PID 2780 wrote to memory of 2748 2780 cmd.exe 41 PID 2816 wrote to memory of 2388 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 43 PID 2816 wrote to memory of 2388 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 43 PID 2816 wrote to memory of 2388 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 43 PID 2816 wrote to memory of 2388 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 43 PID 2816 wrote to memory of 2388 2816 2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe" n27763⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe" n27764⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2152
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2244
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2924
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\readme-warning.txt
Filesize1KB
MD50f44a19896202f3a9f8dd0747e54c5eb
SHA103f490800892428e0791deeccbe5fa56b0b97226
SHA256994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef
SHA512f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6
-
Filesize
58KB
MD5afe0b643b74b4714e2d705f34339d911
SHA11943f80961e65cd3ac8fb906352a72bd02655916
SHA25628ff4090b0ff905783550e43a2d65b826509e435da0f34e856200e962142b586
SHA512858009dafbe2c9a3f8e79fe6363cb9db95d37047ae9661d31be8f5da44102de8afbfebb34438881ff65eae083c3b8651ae12e9e7afa483a51700b4224960c5c7
-
Filesize
57KB
MD522bcb89336d9bb23b7d043e832c6db25
SHA120c808d956528cda0c780aee937092dc8151b3ed
SHA256b8c09432f5d84b39eade26cc54e589042b318c19014fd9723e04b055eccf4dd8
SHA5125c123e5aa6c4dcee781cf89e3cc1d611d3e05dee6cc88530381f3b144d76f8debe4f2c76ce80ef9bfcee6f85861318355827d2644e9ac5402a4e46a5d044538c
-
Filesize
1KB
MD564bcbaefb194c4983ffcf4ef1a3bd10d
SHA19eed6a366d8a49726f02468b7ad0054e12d15152
SHA2561800de1f8c2cbd8d1c06bd902f63211edb33b7aa7f04c04ff0a8826d265d3a3a
SHA512a5e2db463f6b659a8faf4430786d83680349daa50eae8187c117749f7bdd93fddcf720a07aa0d878ceeeeb016dbca1b987f52a8ccb912937f5c4f7d741a6b279
-
Filesize
1KB
MD5b053b395450a63243956d9c88025a2f9
SHA189cb1002187ca36f9096fcc8452ce4ca20a2797c
SHA256217d3e67a19c09ff478cdcdbc812265bb3e1ad2815b0a204880d3e80fff5b189
SHA512f5c23f2038e2cb11cd484fe00e9dcb57138b97a12b4182741f39567686fa4d67ce05b202b4295e35699f5f58fec7d1bd021be8acd7af96170d34a9f43da31d1e
-
Filesize
1KB
MD5d02eb06a0cdf5b247f229cda78b253ab
SHA19e87dbf39c28a089f58e66730d638a1d260ab3cd
SHA2560126a52fd4c35c41dc0036b7d8f13a34a359ccdf1f58935599d219158e277ab8
SHA51250b80b64662e0b83e47d0ea3d2de3805d8334c0ce0e6e29d5d798cbdb58538ae2c2f0857f7a44a1c0b5d7ec585d03781775e4fdcb298917ba260f4bf670e80f1
-
Filesize
1KB
MD516f9c877f3bd0b235f9f155b5a0a7bba
SHA1ed9b8764c3cbd0eb6eca8646de7252cf0fbcc1f4
SHA256be99fa3ef190fee33cff36ee6eb9fc7bfa08b0a3b88b3270a65fe268b483cacb
SHA512ae3bb21d4413153edccdaf44c9964397480014f98958a0cfc34992446d251dd39f87fdafe90b14801e2f7074c5036c097c4bbaac1375b1885d4377c60205df86
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0