exorcist | dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

General

Target

Setup.exe
Size

68KB
MD5

9e5c89c84cdbf460fc6857c4e32dafdf
SHA1

ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d
SHA256

dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620
SHA512

6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 2 IoCs

Processes:

Setup.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Setup.exe
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Setup.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\F:	Setup.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\D:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1896 vssadmin.exe

pid	process
1896	vssadmin.exe

Modifies data under HKEY_USERS 227 IoCs

Processes:

Setup.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0043006c0065006100720053007400650070002e0064006f007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 97b397c7e5cfa077b7a735b93574de92d1cc2edc02ac54885b7ee9dc08b9f36b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e9176852d581a52cab6244ea53cdc1c433d2a9b3d6690ae6d7bb2ed71ff39707	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e99b1dbee5835d2c1e6c6aee072c9e2cccc00d180b7b914e6504cfd6bb12d491	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006e0069007400690061006c0069007a00650055006e006c006f0063006b002e0064006f007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 41a92b0e4b539ac81929610e6d01a223877bce46f16bf608d14c0fe7a10e3f40	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 16e4ab9deb83149e4d9dbce8abe3fbb0ead202e42b7d93cf9bc5846496d8b8f6	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2eeb5c7fcc61383d0ff52cd4ce426b29d7f016289e46d0c644a7f2666373f0fb	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0055006e007000750062006c00690073006800530065006c006500630074002e006d003100760000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 90879ff0669c41e3aaa08333e08626735be5f1169ca81205153d7f63d20107c1	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cab29b97a28fd9f492fd89b970bd2d0a853b040b4930c15a05c7e2a07ccb0a1f	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005200650063006500690076006500530074006100720074002e0070006f0074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0043006f006e00740061006300740073005c00410064006d0069006e002e0063006f006e00740061006300740000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 62a0622840004f4171f78559e0e48be418099518e00267df3486cf4f6ed2414a	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 0ea8f35fe456bc9ad1a41b71f60431f151208a4ed295db9615fc8f530de49ecf	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadNetworkName = "Network"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cc639a7782bf54d7c92002221b07904201a792ae8778c2527cb58487decc71a8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = be03917e8b71fdee4bf7d3e1cf67b9390f79760eb5a5abf105aedbe63e5d8861	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0041006400640057006100690074002e0070006f0074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c50dc69ec4c4367b89b8f4d6c2e5be57767222f4840a3545dce80f90d09a6011	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = a6c1d8affe2bbb6583ffeecca83545213848c7e1cab4557f168aec8d314935cb	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00610066003300350064006400610034002d0063006300340038002d0031003100650061002d0062003300350036002d003800300036006500360066003600650036003900360033007d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c005200650063006f0076006500720079005c00300035003100620065003100380032002d0063006300350031002d0031003100650061002d0061006300310033002d003400360066003800610037003600300030006500620065005c0062006f006f0074002e0073006400690000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6f26c4963b17868ff366ae8717ab21c2ef06cdf1691d0a33c3014271ed0adb10	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 79c46bdc83ac04e04f783d05ca62eb325ea19979677406094d006e0297a411c8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3a2600a45241586cb765070b453d4abbf96145ed0da72eb54bff4a279aff2fd7	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500730075006d00650052006500730074006f00720065002e00760073007300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f5064a471e4a53a5d18a0124862c85fa9bccded9e69efe90890fbdcd0d131a13	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e2fedd6d9549ea978f003aefed2d883d380c609546d454d3f1638ae73fd9f3d8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0053006b00690070005000750062006c006900730068002e006a007000670000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c30c63c2c30ae1ae3f3b0cf897012e9b1b591d6d6ca65a66c2d52ff67a73e9d3	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a1bb31a61d5daf6aba75f7a8edda039cd9524511b33c50941b1615eeac2424d0	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b7bb39591ad5ae0e1bbab120d2949e3354269947f372da7565b79ef78348d62b	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fcee67ac81a9192ecce3de256d50900b8cb5f9e4812a979cc30a075b86457e19	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6cd5f3769530f1c839ad2cb8aaacd674ca8369666a5a630e432d9a86d71b4f3b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00530074006f0070004a006f0069006e002e0069006e00660000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006e007300740061006c006c0046006f0072006d00610074002e0078006c007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500630065006e0074006c0079002e0064006f006300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5d6b5bfb9931154b1338b9af15478a606523edac8d892fc838b9d68053c9db78	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 70153f8d75e1f41bf42e2e80f2ddb59807c46bb68d39ad626adda536f185e517	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = de3fbc30372043165694b51b21a67f777ac9cbbb1bd23a753e51189b7ecf3750	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 95a75317804fab9e4be2fa7fa4a4629dc93315988b8c41752da9e661761c3411	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 708b95373797d601	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 57a22a4dc3f13637fb6811252d77f8ee484300bde1bdbcce9a7c631e0585e4f0	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c29e19df0f716a7c39d130675ba7c8ec7c6ce80fdcafce760aa8a17c1d24441d	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 99c0b9ef3cb9776ca53df01a49e9c0a0ed13e397712b36f6c7bd486efafb19e4	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0045007800700061006e0064004500780070006f00720074002e00330067007000320000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 15c431031f31f6379cd241e3bc9b50fcbdbcc1e458ec2ab603c1279358881446	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d71cf2d86d4e2d0ab545a5b64590883b4fb8f1fbbe79b0359b4c3c93afff95da	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 868e2dc0ca8416215aa4c27b6588eac0b1f3392223f6e7adf0e0b9dffd1e6999	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c005200650076006f006b00650049006d0070006f00720074002e0041004100430000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c25ae54e8db12e8c89d2746e13d1ab48d4fd71650a3d64680dc629b4b52cce51	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 25c5c807657ad6ada6c03afbf44bbf7d9eedf0af8f049f90db0c2b594c9caae5	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = da8bf523dedfc7d44e42faf8a8224b8f2f71494aaffa5db217be42a5b738161c	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006e0069007400690061006c0069007a00650046006f0072006d00610074002e00700070007300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500610064005500700064006100740065002e006f006400700000000000	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda4-cc48-11ea-b356-806e6f6e6963}\MaxCapacity = "15140"	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Setup.exe

NTFS ADS 4 IoCs

Processes:

Setup.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\47TJ4Z\windows.sys:dhpkxqkdun	Setup.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\bGMJEE\windows.sys:qvqhfjkvnrdtqgtt	Setup.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\47TJ4Z\windows.sys:dhpkxqkdun	Setup.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\SITvts\windows.sys:qxoyhxveerelbnrwg	Setup.exe

Suspicious behavior: EnumeratesProcesses 1312 IoCs

Processes:

Setup.exe

pid	process
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Setup.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	748	Setup.exe
Token: SeRestorePrivilege	748	Setup.exe
Token: SeDebugPrivilege	748	Setup.exe
Token: SeSecurityPrivilege	748	Setup.exe
Token: SeRestorePrivilege	748	Setup.exe
Token: SeDebugPrivilege	748	Setup.exe
Token: SeBackupPrivilege	1932	vssvc.exe
Token: SeRestorePrivilege	1932	vssvc.exe
Token: SeAuditPrivilege	1932	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Setup.execmd.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1828	748	Setup.exe	cmd.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1896	1828	cmd.exe	vssadmin.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1844	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 332	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1356	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 576	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 748 wrote to memory of 1652	748	Setup.exe	cmd.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1752	1652	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-12-0x0000000000000000-mapping.dmp

Download
memory/576-20-0x0000000000000000-mapping.dmp

Download
memory/748-0-0x0000000003D50000-0x0000000003E51000-memory.dmp

Filesize
1.0MB

Download
memory/748-27-0x0000000004160000-0x0000000004171000-memory.dmp

Filesize
68KB

Download
memory/748-29-0x0000000004160000-0x0000000004171000-memory.dmp

Filesize
68KB

Download
memory/1356-16-0x0000000000000000-mapping.dmp

Download
memory/1652-24-0x0000000000000000-mapping.dmp

Download
memory/1752-25-0x0000000000000000-mapping.dmp

Download
memory/1828-3-0x0000000000000000-mapping.dmp

Download
memory/1844-8-0x0000000000000000-mapping.dmp

Download
memory/1896-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads