48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c

Analysis

max time kernel
135s
max time network
50s
platform
windows10_x64
resource
win10v200430
submitted
15-07-2020 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bin.exe
Size

645KB
MD5

79cdf459683c39e9704a37a6be9bc877
SHA1

450d4f351c3dd168e313b309da4bd8a817453d1d
SHA256

48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c
SHA512

2cc3f164e92650c4d4aed7012da7d303d24cdc63565ed744a28cb6d59465189233a128a01f4b807aa972057e0d0d98742c5ca9b41a67bf59f0f115de30eb6bd4

Score

10^/10

ransomware persistence evasion trojan

Malware Config

Signatures

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1368	vssadmin.exe
2200	vssadmin.exe
3828	vssadmin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	1.bin.exe

Suspicious behavior: EnumeratesProcesses 756 IoCs

pid	Process
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe
1516	1.bin.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3620	1516	1.bin.exe	66
PID 1516 wrote to memory of 3620	1516	1.bin.exe	66
PID 1516 wrote to memory of 3620	1516	1.bin.exe	66
PID 1516 wrote to memory of 1368	1516	1.bin.exe	70
PID 1516 wrote to memory of 1368	1516	1.bin.exe	70
PID 1516 wrote to memory of 1368	1516	1.bin.exe	70
PID 1516 wrote to memory of 1908	1516	1.bin.exe	73
PID 1516 wrote to memory of 1908	1516	1.bin.exe	73
PID 1516 wrote to memory of 1908	1516	1.bin.exe	73
PID 1516 wrote to memory of 2200	1516	1.bin.exe	75
PID 1516 wrote to memory of 2200	1516	1.bin.exe	75
PID 1516 wrote to memory of 2200	1516	1.bin.exe	75
PID 1516 wrote to memory of 2772	1516	1.bin.exe	77
PID 1516 wrote to memory of 2772	1516	1.bin.exe	77
PID 1516 wrote to memory of 2772	1516	1.bin.exe	77
PID 1516 wrote to memory of 3828	1516	1.bin.exe	79
PID 1516 wrote to memory of 3828	1516	1.bin.exe	79
PID 1516 wrote to memory of 3828	1516	1.bin.exe	79

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3812	1516	WerFault.exe	65
3392	1516	WerFault.exe	65
1808	1516	WerFault.exe	65
3228	1516	WerFault.exe	65
504	1516	WerFault.exe	65
908	1516	WerFault.exe	65

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1.bin.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Suspicious use of AdjustPrivilegeToken 74 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3620	wmic.exe
Token: SeSecurityPrivilege	3620	wmic.exe
Token: SeTakeOwnershipPrivilege	3620	wmic.exe
Token: SeLoadDriverPrivilege	3620	wmic.exe
Token: SeSystemProfilePrivilege	3620	wmic.exe
Token: SeSystemtimePrivilege	3620	wmic.exe
Token: SeProfSingleProcessPrivilege	3620	wmic.exe
Token: SeIncBasePriorityPrivilege	3620	wmic.exe
Token: SeCreatePagefilePrivilege	3620	wmic.exe
Token: SeBackupPrivilege	3620	wmic.exe
Token: SeRestorePrivilege	3620	wmic.exe
Token: SeShutdownPrivilege	3620	wmic.exe
Token: SeDebugPrivilege	3620	wmic.exe
Token: SeSystemEnvironmentPrivilege	3620	wmic.exe
Token: SeRemoteShutdownPrivilege	3620	wmic.exe
Token: SeUndockPrivilege	3620	wmic.exe
Token: SeManageVolumePrivilege	3620	wmic.exe
Token: 33	3620	wmic.exe
Token: 34	3620	wmic.exe
Token: 35	3620	wmic.exe
Token: 36	3620	wmic.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1908	wmic.exe
Token: SeSecurityPrivilege	1908	wmic.exe
Token: SeTakeOwnershipPrivilege	1908	wmic.exe
Token: SeLoadDriverPrivilege	1908	wmic.exe
Token: SeSystemProfilePrivilege	1908	wmic.exe
Token: SeSystemtimePrivilege	1908	wmic.exe
Token: SeProfSingleProcessPrivilege	1908	wmic.exe
Token: SeIncBasePriorityPrivilege	1908	wmic.exe
Token: SeCreatePagefilePrivilege	1908	wmic.exe
Token: SeBackupPrivilege	1908	wmic.exe
Token: SeRestorePrivilege	1908	wmic.exe
Token: SeShutdownPrivilege	1908	wmic.exe
Token: SeDebugPrivilege	1908	wmic.exe
Token: SeSystemEnvironmentPrivilege	1908	wmic.exe
Token: SeRemoteShutdownPrivilege	1908	wmic.exe
Token: SeUndockPrivilege	1908	wmic.exe
Token: SeManageVolumePrivilege	1908	wmic.exe
Token: 33	1908	wmic.exe
Token: 34	1908	wmic.exe
Token: 35	1908	wmic.exe
Token: 36	1908	wmic.exe
Token: SeIncreaseQuotaPrivilege	2772	wmic.exe
Token: SeSecurityPrivilege	2772	wmic.exe
Token: SeTakeOwnershipPrivilege	2772	wmic.exe
Token: SeLoadDriverPrivilege	2772	wmic.exe
Token: SeSystemProfilePrivilege	2772	wmic.exe
Token: SeSystemtimePrivilege	2772	wmic.exe
Token: SeProfSingleProcessPrivilege	2772	wmic.exe
Token: SeIncBasePriorityPrivilege	2772	wmic.exe
Token: SeCreatePagefilePrivilege	2772	wmic.exe
Token: SeBackupPrivilege	2772	wmic.exe
Token: SeRestorePrivilege	2772	wmic.exe
Token: SeShutdownPrivilege	2772	wmic.exe
Token: SeDebugPrivilege	2772	wmic.exe
Token: SeSystemEnvironmentPrivilege	2772	wmic.exe
Token: SeRemoteShutdownPrivilege	2772	wmic.exe
Token: SeUndockPrivilege	2772	wmic.exe
Token: SeManageVolumePrivilege	2772	wmic.exe
Token: 33	2772	wmic.exe
Token: 34	2772	wmic.exe
Token: 35	2772	wmic.exe
Token: 36	2772	wmic.exe
Token: SeRestorePrivilege	3812	WerFault.exe
Token: SeBackupPrivilege	3812	WerFault.exe
Token: SeDebugPrivilege	3812	WerFault.exe
Token: SeDebugPrivilege	3392	WerFault.exe
Token: SeDebugPrivilege	1808	WerFault.exe
Token: SeDebugPrivilege	3228	WerFault.exe
Token: SeDebugPrivilege	504	WerFault.exe
Token: SeDebugPrivilege	908	WerFault.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.bin.exe

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
- Checks whether UAC is enabled
PID:1516
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1368
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2200
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 816
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 840
  2⤵
  - Program crash
  PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 844
  2⤵
  - Program crash
  PID:1808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 820
  2⤵
  - Program crash
  PID:3228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 896
  2⤵
  - Program crash
  PID:504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1136
  2⤵
  - Program crash
  PID:908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-27-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/504-24-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/908-31-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/908-28-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1516-1-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/1516-0-0x0000000003623000-0x0000000003624000-memory.dmp

Filesize
4KB

Download
memory/1808-19-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3228-23-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3228-20-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3392-15-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3392-12-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3812-11-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3812-9-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3812-8-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download