9a02671ffb82ee83b8f9afd028af3090ecd494bd7d8d7a2e2cc75f0ac187c3b8

Analysis

max time kernel
142s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
17-01-2021 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo-064-2021.jpg.scr
Size

126KB
MD5

ea4cf6019062e5555d81bb5510d79b3d
SHA1

0d95aa8ade975b9f85c54cdbabd08906a01e51ee
SHA256

9a02671ffb82ee83b8f9afd028af3090ecd494bd7d8d7a2e2cc75f0ac187c3b8
SHA512

8f1eb4eb9dd561faf05094552bf6769bbfb614de1c7c96cc568e7f45b22fdcdf7d7d7b518041e1ab15b9781ba85dca69c19b9a75cc85bd4aeea3e0540d9f17c9

Score

10^/10

discovery persistence ransomware spyware

Malware Config

Extracted

Path

C:\WERE_MY _FILES.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ------------------------------------------------ create a ticket to any of these addresses yip.su/2QstD5 cutt.ly/0htT0he shorturl.at/GOY24 bit.ly/3399Ozf ------------------------------------------------ you can also attach a small cryptted file for a free test decrypt Additional communication method ------------------------------- 1. Download Tor browser - httpps://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://helpqvrg3cc5mvb3.onion/ -------------------------------- You ID ��A8 8A 58 5D 8D F6 C9 B8 C0 92 A3 BE 83 C7 F4 A5 C4 C9 3B FC 12 C4 4E 03 47 F9 AA C6 26 58 09 54 CA 52 27 E4 0D 7C 55 87 B7 61 C4 73 DC C3 66 39 86 78 47 F7 20 0A C8 69 39 C0 E5 17 88 6B 2B 0F F4 BD 65 40 57 A3 71 94 57 98 05 89 35 BB 29 BE F7 35 26 35 E6 4D 1B E3 46 1A DA 4B 92 F3 E6 32 3B 74 01 F8 92 53 EE 43 C1 22 41 D8 8D 6A 37 9E F3 D1 06 FC 48 FE 54 E2 B3 41 7B 3C F9 0A B2 EA F0 2E BD E4 4B EB F2 7C 98 7D B9 A8 87 DA 6B 90 F0 7F FE 94 C7 A9 D7 5A 8A 5B 60 81 3A 34 F7 8D 70 6B F0 C0 79 9A 43 F5 0C 80 1B 42 33 38 74 40 97 9C 06 87 5C 51 49 37 7F 83 42 E8 EE 08 2C C8 26 16 F5 8D 51 C9 26 ED 6B C8 D4 8E BD 01 25 9E 1C B3 C0 A9 36 56 67 0F 2C F7 20 08 73 38 11 E1 82 9C 05 89 D4 D5 A0 B5 E0 31 E3 24 9C B7 D8 8D 20 D9 79 D1 1B 9B 15 6A A5 6D 44 10 56 D6 27 5D ��

URLs

httpps://www.torproject.org/

http://helpqvrg3cc5mvb3.onion/

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

smhost.exeswhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smhost.exe\""	smhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\swhost.exe\""	swhost.exe

Executes dropped EXE 2 IoCs

Processes:

swhost.exesmhost.exe

pid process

3152 swhost.exe
3400 smhost.exe

pid	process
3152	swhost.exe
3400	smhost.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

aspnet_wp.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddGrant.crw => C:\Users\Admin\Pictures\AddGrant.crw.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\ExitExpand.crw => C:\Users\Admin\Pictures\ExitExpand.crw.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\LimitRead.crw => C:\Users\Admin\Pictures\LimitRead.crw.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\MountUnprotect.tif => C:\Users\Admin\Pictures\MountUnprotect.tif.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\UnblockRestore.png => C:\Users\Admin\Pictures\UnblockRestore.png.STAR	aspnet_wp.exe

Drops startup file 4 IoCs

Processes:

smhost.exeswhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smhost.exe	smhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smhost.exe	smhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swhost.exe	swhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swhost.exe	swhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

swhost.exesmhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\swhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\swhost.exe"	swhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smhost.exe"	smhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\swhost.exe"	swhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\smhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smhost.exe"	smhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 28 IoCs

Processes:

aspnet_wp.exe

description	ioc	process
File opened for modification	C:\Users\Public\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	aspnet_wp.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Program Files\desktop.ini	aspnet_wp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

smhost.exeswhost.exe

pid	process
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe
3152	swhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

swhost.exesmhost.exe

description	pid	process	target process
PID 3152 set thread context of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3400 set thread context of 2816	3400	smhost.exe	aspnet_wp.exe

Drops file in Program Files directory 18481 IoCs

Processes:

aspnet_wp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3009_24x24x32.png	aspnet_wp.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\kg_16x11.png	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms	aspnet_wp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-200.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsymb.ttf	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu_back-over.png	aspnet_wp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h	aspnet_wp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-200.png	aspnet_wp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24_altform-unplated.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_11h.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-200.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-200.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\28.jpg	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\pitissue.jpg	aspnet_wp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2475_32x32x32.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\me_16x11.png	aspnet_wp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF	aspnet_wp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_contrast-black.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Smooth.scale-100.png	aspnet_wp.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\WERE_MY _FILES.txt	aspnet_wp.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6365_36x36x32.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppCS\Assets\PhtoMDL2.1.61.ttf	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms	aspnet_wp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\dk_16x11.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square71x71Logo.scale-100.png	aspnet_wp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png	aspnet_wp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	aspnet_wp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dll	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3416_20x20x32.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-100.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100_contrast-white.png	aspnet_wp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-150.png	aspnet_wp.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2868 3152 WerFault.exe swhost.exe
2260 3400 WerFault.exe smhost.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3912 timeout.exe
196 timeout.exe
212 timeout.exe
4092 timeout.exe
3620 timeout.exe
3292 timeout.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
2868	3152	WerFault.exe	swhost.exe
2260	3400	WerFault.exe	smhost.exe

pid	process
3912	timeout.exe
196	timeout.exe
212	timeout.exe
4092	timeout.exe
3620	timeout.exe
3292	timeout.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

Photo-064-2021.jpg.scrsmhost.exeswhost.exeWerFault.exeWerFault.exe

pid	process
3160	Photo-064-2021.jpg.scr
3160	Photo-064-2021.jpg.scr
3400	smhost.exe
3152	swhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3400	smhost.exe
3152	swhost.exe
3152	swhost.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2260	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

aspnet_wp.exe

pid process

3188 aspnet_wp.exe

pid	process
3188	aspnet_wp.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Photo-064-2021.jpg.scrsmhost.exeswhost.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3160	Photo-064-2021.jpg.scr
Token: SeDebugPrivilege	3400	smhost.exe
Token: SeDebugPrivilege	3152	swhost.exe
Token: SeRestorePrivilege	2260	WerFault.exe
Token: SeBackupPrivilege	2260	WerFault.exe
Token: SeRestorePrivilege	2868	WerFault.exe
Token: SeBackupPrivilege	2868	WerFault.exe
Token: SeBackupPrivilege	2868	WerFault.exe
Token: SeDebugPrivilege	2868	WerFault.exe
Token: SeDebugPrivilege	2260	WerFault.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

Photo-064-2021.jpg.scrsmhost.exeswhost.execmd.execmd.execmd.execmd.execmd.execmd.exeaspnet_wp.exe

description	pid	process	target process
PID 3160 wrote to memory of 3152	3160	Photo-064-2021.jpg.scr	swhost.exe
PID 3160 wrote to memory of 3152	3160	Photo-064-2021.jpg.scr	swhost.exe
PID 3160 wrote to memory of 3152	3160	Photo-064-2021.jpg.scr	swhost.exe
PID 3160 wrote to memory of 3400	3160	Photo-064-2021.jpg.scr	smhost.exe
PID 3160 wrote to memory of 3400	3160	Photo-064-2021.jpg.scr	smhost.exe
PID 3160 wrote to memory of 3400	3160	Photo-064-2021.jpg.scr	smhost.exe
PID 3400 wrote to memory of 2484	3400	smhost.exe	cmd.exe
PID 3400 wrote to memory of 2484	3400	smhost.exe	cmd.exe
PID 3400 wrote to memory of 2484	3400	smhost.exe	cmd.exe
PID 3152 wrote to memory of 2488	3152	swhost.exe	cmd.exe
PID 3152 wrote to memory of 2488	3152	swhost.exe	cmd.exe
PID 3152 wrote to memory of 2488	3152	swhost.exe	cmd.exe
PID 2488 wrote to memory of 212	2488	cmd.exe	timeout.exe
PID 2484 wrote to memory of 196	2484	cmd.exe	timeout.exe
PID 2488 wrote to memory of 212	2488	cmd.exe	timeout.exe
PID 2488 wrote to memory of 212	2488	cmd.exe	timeout.exe
PID 2484 wrote to memory of 196	2484	cmd.exe	timeout.exe
PID 2484 wrote to memory of 196	2484	cmd.exe	timeout.exe
PID 3400 wrote to memory of 2084	3400	smhost.exe	cmd.exe
PID 3400 wrote to memory of 2084	3400	smhost.exe	cmd.exe
PID 3400 wrote to memory of 2084	3400	smhost.exe	cmd.exe
PID 3152 wrote to memory of 2092	3152	swhost.exe	cmd.exe
PID 3152 wrote to memory of 2092	3152	swhost.exe	cmd.exe
PID 3152 wrote to memory of 2092	3152	swhost.exe	cmd.exe
PID 2084 wrote to memory of 4092	2084	cmd.exe	timeout.exe
PID 2084 wrote to memory of 4092	2084	cmd.exe	timeout.exe
PID 2084 wrote to memory of 4092	2084	cmd.exe	timeout.exe
PID 2092 wrote to memory of 3620	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 3620	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 3620	2092	cmd.exe	timeout.exe
PID 3400 wrote to memory of 3724	3400	smhost.exe	cmd.exe
PID 3400 wrote to memory of 3724	3400	smhost.exe	cmd.exe
PID 3400 wrote to memory of 3724	3400	smhost.exe	cmd.exe
PID 3152 wrote to memory of 764	3152	swhost.exe	cmd.exe
PID 3152 wrote to memory of 764	3152	swhost.exe	cmd.exe
PID 3152 wrote to memory of 764	3152	swhost.exe	cmd.exe
PID 3724 wrote to memory of 3292	3724	cmd.exe	timeout.exe
PID 3724 wrote to memory of 3292	3724	cmd.exe	timeout.exe
PID 3724 wrote to memory of 3292	3724	cmd.exe	timeout.exe
PID 764 wrote to memory of 3912	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 3912	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 3912	764	cmd.exe	timeout.exe
PID 3400 wrote to memory of 496	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 496	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 496	3400	smhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3152 wrote to memory of 3188	3152	swhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3400 wrote to memory of 2816	3400	smhost.exe	aspnet_wp.exe
PID 3188 wrote to memory of 4056	3188	aspnet_wp.exe	cmd.exe
PID 3188 wrote to memory of 4056	3188	aspnet_wp.exe	cmd.exe
PID 3188 wrote to memory of 4056	3188	aspnet_wp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Photo-064-2021.jpg.scr
"C:\Users\Admin\AppData\Local\Temp\Photo-064-2021.jpg.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\swhost.exe
"C:\Users\Admin\AppData\Local\Temp\swhost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:3620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe > nul
4⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1676
3⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\AppData\Local\Temp\smhost.exe
"C:\Users\Admin\AppData\Local\Temp\smhost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:4092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:3292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1604
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini

MD5
af2583b628a62640d1f4bfdf2075863a

SHA1
cafe9a9d2deedb443d52a93a45e99a385e4f65f2

SHA256
e8a664c32b08dfaa11ee755ac9a5890214029395eff64ee009366c8cbf8cf3d4

SHA512
13a771b634b726fe2b5b71886b4c7875ca4ab6e2d0061074a1d66bd98f555c72cf43349ff1ab9de2166ca261851950e266b67a74995bd21efac37addc4c04688

Download Submit
C:\Users\Admin\AppData\Local\Temp\smhost.exe

MD5
654e98d30719de2b197311aadece41d2

SHA1
e2dc9f7a0256621e767fe2d0ce3b251ab2c037fd

SHA256
b624fba4e93efc188408233ae3b7b3c43f0461cfd728bdc7d7c70eeb680a5c26

SHA512
ca0d80526849a271925321717f8ba062892722f21ef08a197f208dedc31e34f078bacdfe6beef139ed278461a8ee7c2b4badde5a1c20f39d5d3097e90385ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\smhost.exe

MD5
654e98d30719de2b197311aadece41d2

SHA1
e2dc9f7a0256621e767fe2d0ce3b251ab2c037fd

SHA256
b624fba4e93efc188408233ae3b7b3c43f0461cfd728bdc7d7c70eeb680a5c26

SHA512
ca0d80526849a271925321717f8ba062892722f21ef08a197f208dedc31e34f078bacdfe6beef139ed278461a8ee7c2b4badde5a1c20f39d5d3097e90385ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\swhost.exe

MD5
9e96c9967287f92f1646c0c8a68f3a48

SHA1
53401dab53f27cab59e5e2f2e2d7d8bfa3699744

SHA256
b144cea70ef357f52b0b3fdcad315d0df095c563c2cbe535fb45354133db6a2b

SHA512
1acd812c5e93fff4686c3f93f503196660bfc44b9257f5af850b18fd19fd7d82c74c0fc878e79240b1250e6c5168a54bcae7a806f696d5f09b69c197ab8eb924

Download Submit
C:\Users\Admin\AppData\Local\Temp\swhost.exe

MD5
9e96c9967287f92f1646c0c8a68f3a48

SHA1
53401dab53f27cab59e5e2f2e2d7d8bfa3699744

SHA256
b144cea70ef357f52b0b3fdcad315d0df095c563c2cbe535fb45354133db6a2b

SHA512
1acd812c5e93fff4686c3f93f503196660bfc44b9257f5af850b18fd19fd7d82c74c0fc878e79240b1250e6c5168a54bcae7a806f696d5f09b69c197ab8eb924

Download Submit
memory/196-44-0x0000000000000000-mapping.dmp

Download
memory/212-43-0x0000000000000000-mapping.dmp

Download
memory/764-50-0x0000000000000000-mapping.dmp

Download
memory/2084-45-0x0000000000000000-mapping.dmp

Download
memory/2092-46-0x0000000000000000-mapping.dmp

Download
memory/2260-58-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/2484-41-0x0000000000000000-mapping.dmp

Download
memory/2488-42-0x0000000000000000-mapping.dmp

Download
memory/2816-56-0x000000000040801E-mapping.dmp

Download
memory/2816-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2868-59-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/3152-23-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3152-19-0x0000000000000000-mapping.dmp

Download
memory/3152-40-0x0000000005C20000-0x0000000005C48000-memory.dmp

Filesize
160KB

Download
memory/3152-22-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/3152-37-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3160-13-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/3160-5-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/3160-11-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/3160-2-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/3160-10-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/3160-16-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/3160-14-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/3160-15-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/3160-9-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3160-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3160-8-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3160-7-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3160-6-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/3160-12-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/3160-17-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/3160-18-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/3188-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3188-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3188-55-0x0000000000409F20-mapping.dmp

Download
memory/3292-51-0x0000000000000000-mapping.dmp

Download
memory/3400-29-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/3400-39-0x0000000004B00000-0x0000000004B22000-memory.dmp

Filesize
136KB

Download
memory/3400-31-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3400-24-0x0000000000000000-mapping.dmp

Download
memory/3620-48-0x0000000000000000-mapping.dmp

Download
memory/3724-49-0x0000000000000000-mapping.dmp

Download
memory/3912-52-0x0000000000000000-mapping.dmp

Download
memory/4056-61-0x0000000000000000-mapping.dmp

Download
memory/4092-47-0x0000000000000000-mapping.dmp

Download