e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

Resubmissions

21-11-2020 16:12

201121-3vsypzcqyx 10

21-11-2020 15:12

201121-c152v5zkxx 10

Analysis

max time kernel
188s
max time network
190s
platform
windows10_x64
resource
win10v20201028
submitted
21-11-2020 16:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
Size

532KB
MD5

76f547c793b5478b970c64caf04d01d4
SHA1

f9eb40f6d3d4c83852e3781886db762bef8564e0
SHA256

e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
SHA512

91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17

Score

10^/10

bootkit ransomware

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4704 created 2020	4704	WerFault.exe	88

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

Enables rebooting of the machine without requiring login credentials.

ransomware bootkit

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4704	2020	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	PaintStudio.View.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\ShellRefresh\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4156	WINWORD.EXE
4156	WINWORD.EXE
2020	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 198 IoCs

pid	Process
4060	mspaint.exe
4060	mspaint.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
4704	WerFault.exe
2804	taskmgr.exe
2804	taskmgr.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2020	PaintStudio.View.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	PaintStudio.View.exe
Token: SeDebugPrivilege	2020	PaintStudio.View.exe
Token: SeDebugPrivilege	2020	PaintStudio.View.exe
Token: SeDebugPrivilege	4704	WerFault.exe
Token: SeDebugPrivilege	2804	taskmgr.exe
Token: SeSystemProfilePrivilege	2804	taskmgr.exe
Token: SeCreateGlobalPrivilege	2804	taskmgr.exe

Suspicious use of FindShellTrayWindow 175 IoCs

pid	Process
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe

Suspicious use of SendNotifyMessage 175 IoCs

pid	Process
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4708	e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
4156	WINWORD.EXE
4156	WINWORD.EXE
4156	WINWORD.EXE
4156	WINWORD.EXE
4156	WINWORD.EXE
4156	WINWORD.EXE
4060	mspaint.exe
4156	WINWORD.EXE
2020	PaintStudio.View.exe
4508	LogonUI.exe
4508	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConnectCompare.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResolveUnpublish.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4060

\??\c:\windows\system32\rundll32.exe
rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh
1⤵
- Modifies registry class
PID:984

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2020 -s 3964
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5028

C:\Windows\HelpPane.exe
"C:\Windows\HelpPane.exe"
1⤵
PID:2308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8a055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4156-2-0x00007FF85E9A0000-0x00007FF85EFD7000-memory.dmp

Filesize
6.2MB

Download
memory/4704-4-0x000001605D0A0000-0x000001605D0A1000-memory.dmp

Filesize
4KB

Download
memory/4704-3-0x000001605D0A0000-0x000001605D0A1000-memory.dmp

Filesize
4KB

Download
memory/4704-6-0x000001605D0A0000-0x000001605D0A1000-memory.dmp

Filesize
4KB

Download
memory/4704-8-0x000001605D3E0000-0x000001605D3E1000-memory.dmp

Filesize
4KB

Download
memory/4704-10-0x000001605D7E0000-0x000001605D7E1000-memory.dmp

Filesize
4KB

Download
memory/4704-12-0x000001605D7E0000-0x000001605D7E1000-memory.dmp

Filesize
4KB

Download
memory/4704-14-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-16-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-18-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-20-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-22-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-26-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-28-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-30-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-32-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-34-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-36-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-38-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-40-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-42-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-44-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-46-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-47-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-49-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-51-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-52-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-54-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-56-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-58-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-60-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-62-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-64-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-66-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-68-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-70-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-72-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-74-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-76-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-78-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-79-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-81-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-83-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-85-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-87-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-89-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-91-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-93-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-95-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-97-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-99-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-101-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-103-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-105-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-107-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-109-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-111-0x000001605E820000-0x000001605E821000-memory.dmp

Filesize
4KB

Download
memory/4704-113-0x000001605E780000-0x000001605E781000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads