Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ec4f09f82d...d3.exe
windows10-2004-x64
10efd97b1038...ea4.js
windows10-2004-x64
3emotet_exe...04.exe
windows10-2004-x64
10emotet_exe...23.exe
windows10-2004-x64
10eupdate.exe
windows10-2004-x64
7f4f47c67be...3f.exe
windows10-2004-x64
10fb5d110ced...9c.exe
windows10-2004-x64
6fee15285c3...35.exe
windows10-2004-x64
10file(1).exe
windows10-2004-x64
1file.exe
windows10-2004-x64
7gjMEi6eG.exe
windows10-2004-x64
10good.exe
windows10-2004-x64
10hyundai st...1).exe
windows10-2004-x64
10hyundai st...10.exe
windows10-2004-x64
10infected d...er.exe
windows10-2004-x64
10inps_979.xls
windows10-2004-x64
1jar.jar
windows10-2004-x64
10june9.dll
windows10-2004-x64
10mouse_2.exe
windows10-2004-x64
10oof.exe
windows10-2004-x64
3openme.exe
windows10-2004-x64
10ou55sg33s_1.exe
windows10-2004-x64
10senate.dll
windows10-2004-x64
10starticon3.exe
windows10-2004-x64
10str.dll
windows10-2004-x64
10svchost.exe
windows10-2004-x64
10update.exe
windows10-2004-x64
10vir1.xlsx
windows10-2004-x64
1wwf[1].exe
windows10-2004-x64
10xNet.dll
windows10-2004-x64
1전산 및...��.exe
windows10-2004-x64
10전산 및...�1.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
eupdate.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
file(1).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
file.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
gjMEi6eG.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
good.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
hyundai steel-pipe- job 8010(1).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
hyundai steel-pipe- job 8010.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
infected dot net installer.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
inps_979.xls
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
jar.jar
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
june9.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
mouse_2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
oof.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
openme.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
ou55sg33s_1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
senate.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
starticon3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
str.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
svchost.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
update.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
vir1.xlsx
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
wwf[1].exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
xNet.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
-
Size
228KB
-
MD5
8399865e44e7d6a193f8c8acf547eb31
-
SHA1
17e3bee5debada69dadec0b748256925a1a8b1ac
-
SHA256
aaf7bb9ad358726ca367f1827686dc15fea925f26ab1e201a2768c67472e8890
-
SHA512
bf9ceb3a36ca874dceb9ccfec8e7635f5f11f83f04226ceb4e2b4b2548dbcecf2618fe5063bec068b1571867984d0beece6b5f9be0747a13ddb53f9a09aa4d61
-
SSDEEP
3072:tPTcPP3LvQjfIY9Spek01stm+XIm1EWaVw3ItNVFZUyfUNjhb+P0I1fcj:tPTcPfL43SW1stDXaXw3ItNVTUVjhGy
Malware Config
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Makop family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8081) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3512 wbadmin.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe\"" 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 iplogger.org 26 iplogger.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-100.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\glib.md 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-unplated.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-150.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-lightunplated.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\prompts_en-GB_TTS.lua 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-200_contrast-black.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1_Loud.m4a 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\2px.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-200.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\resources.pri 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\MemMDL2.1.85.ttf 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-100.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-400.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-black.png 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 5112 4484 WerFault.exe 82 2464 4348 WerFault.exe 107 3784 3324 WerFault.exe 110 4068 4388 WerFault.exe 113 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2372 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3504 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe 3504 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeBackupPrivilege 5004 vssvc.exe Token: SeRestorePrivilege 5004 vssvc.exe Token: SeAuditPrivilege 5004 vssvc.exe Token: SeBackupPrivilege 2192 wbengine.exe Token: SeRestorePrivilege 2192 wbengine.exe Token: SeSecurityPrivilege 2192 wbengine.exe Token: SeIncreaseQuotaPrivilege 952 WMIC.exe Token: SeSecurityPrivilege 952 WMIC.exe Token: SeTakeOwnershipPrivilege 952 WMIC.exe Token: SeLoadDriverPrivilege 952 WMIC.exe Token: SeSystemProfilePrivilege 952 WMIC.exe Token: SeSystemtimePrivilege 952 WMIC.exe Token: SeProfSingleProcessPrivilege 952 WMIC.exe Token: SeIncBasePriorityPrivilege 952 WMIC.exe Token: SeCreatePagefilePrivilege 952 WMIC.exe Token: SeBackupPrivilege 952 WMIC.exe Token: SeRestorePrivilege 952 WMIC.exe Token: SeShutdownPrivilege 952 WMIC.exe Token: SeDebugPrivilege 952 WMIC.exe Token: SeSystemEnvironmentPrivilege 952 WMIC.exe Token: SeRemoteShutdownPrivilege 952 WMIC.exe Token: SeUndockPrivilege 952 WMIC.exe Token: SeManageVolumePrivilege 952 WMIC.exe Token: 33 952 WMIC.exe Token: 34 952 WMIC.exe Token: 35 952 WMIC.exe Token: 36 952 WMIC.exe Token: SeIncreaseQuotaPrivilege 952 WMIC.exe Token: SeSecurityPrivilege 952 WMIC.exe Token: SeTakeOwnershipPrivilege 952 WMIC.exe Token: SeLoadDriverPrivilege 952 WMIC.exe Token: SeSystemProfilePrivilege 952 WMIC.exe Token: SeSystemtimePrivilege 952 WMIC.exe Token: SeProfSingleProcessPrivilege 952 WMIC.exe Token: SeIncBasePriorityPrivilege 952 WMIC.exe Token: SeCreatePagefilePrivilege 952 WMIC.exe Token: SeBackupPrivilege 952 WMIC.exe Token: SeRestorePrivilege 952 WMIC.exe Token: SeShutdownPrivilege 952 WMIC.exe Token: SeDebugPrivilege 952 WMIC.exe Token: SeSystemEnvironmentPrivilege 952 WMIC.exe Token: SeRemoteShutdownPrivilege 952 WMIC.exe Token: SeUndockPrivilege 952 WMIC.exe Token: SeManageVolumePrivilege 952 WMIC.exe Token: 33 952 WMIC.exe Token: 34 952 WMIC.exe Token: 35 952 WMIC.exe Token: 36 952 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3504 wrote to memory of 3744 3504 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe 83 PID 3504 wrote to memory of 3744 3504 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe 83 PID 3744 wrote to memory of 2372 3744 cmd.exe 85 PID 3744 wrote to memory of 2372 3744 cmd.exe 85 PID 3744 wrote to memory of 3512 3744 cmd.exe 88 PID 3744 wrote to memory of 3512 3744 cmd.exe 88 PID 3744 wrote to memory of 952 3744 cmd.exe 92 PID 3744 wrote to memory of 952 3744 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n35042⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 7523⤵
- Program crash
PID:5112
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2372
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n35042⤵
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 7683⤵
- Program crash
PID:2464
-
-
-
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n35042⤵
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 7723⤵
- Program crash
PID:3784
-
-
-
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n35042⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 6523⤵
- Program crash
PID:4068
-
-
-
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n35042⤵PID:1812
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3624
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4484 -ip 44841⤵PID:4392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4348 -ip 43481⤵PID:4904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3324 -ip 33241⤵PID:1072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4388 -ip 43881⤵PID:4872
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1