bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a

General

Target

bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe
Size

11KB
MD5

f3d78f15bf85aa14f71979585d310ae7
SHA1

1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2
SHA256

bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a
SHA512

ef251e35c6047df225d937b568ded6ad9ee8e72235fac6ce6c04e9287f01aad65c63ada7e65e304ac094029f0a768d2697c3960dde818f7cf0f73cd81283e087

Score

10^/10

persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note

E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.

Emails

[email protected]

URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

TaskHostHelper.exe

pid process

1668 TaskHostHelper.exe
Drops startup file 1 IoCs

Processes:

TaskHostHelper.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta TaskHostHelper.exe

pid	process
1668	TaskHostHelper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta	TaskHostHelper.exe

Loads dropped DLL 2 IoCs

Processes:

bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe

pid	process
1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe
1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TaskHostHelper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TaskHostHelper.exe"	TaskHostHelper.exe

Drops file in System32 directory 2 IoCs

Processes:

TaskHostHelper.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\license.rtf	TaskHostHelper.exe
File created	C:\Windows\SysWOW64\locationnotificationsview.xml	TaskHostHelper.exe

Drops file in Program Files directory 1001 IoCs

Processes:

TaskHostHelper.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\ClearRegister.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	TaskHostHelper.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	TaskHostHelper.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png	TaskHostHelper.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files\CloseRevoke.mp4	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\OliveGreen.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	TaskHostHelper.exe

Drops file in Windows directory 319 IoCs

Processes:

TaskHostHelper.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersonalization.sql	TaskHostHelper.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallPersistSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersistSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	TaskHostHelper.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Schema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1043\LocalizedData.xml	TaskHostHelper.exe
File created	C:\Windows\servicing\Editions\EditionMatrix.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlStateTemplate.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\eula.rtf	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallRoles.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Panther\diagerr.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Schema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\header.bmp	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	TaskHostHelper.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx	TaskHostHelper.exe
File created	C:\Windows\PLA\System\System Diagnostics.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlStateTemplate.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Schema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1040\eula.rtf	TaskHostHelper.exe
File created	C:\Windows\Performance\WinSAT\Clip_1080_5sec_10mbps_h264.mp4	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallCommon.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\error.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallWebEventSqlProvider.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallSqlStateTemplate.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	TaskHostHelper.exe
File created	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp1.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Strings.xml	TaskHostHelper.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2224 vssadmin.exe
528 vssadmin.exe
2064 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2224	vssadmin.exe
528	vssadmin.exe
2064	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TaskHostHelper.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TaskHostHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	TaskHostHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TaskHostHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TaskHostHelper.exe

Suspicious use of AdjustPrivilegeToken 135 IoCs

Processes:

bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exeTaskHostHelper.exeWMIC.exevssvc.exeAUDIODG.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe
Token: SeDebugPrivilege	1668	TaskHostHelper.exe
Token: 33	1668	TaskHostHelper.exe
Token: SeIncBasePriorityPrivilege	1668	TaskHostHelper.exe
Token: SeIncreaseQuotaPrivilege	952	WMIC.exe
Token: SeSecurityPrivilege	952	WMIC.exe
Token: SeTakeOwnershipPrivilege	952	WMIC.exe
Token: SeLoadDriverPrivilege	952	WMIC.exe
Token: SeSystemProfilePrivilege	952	WMIC.exe
Token: SeSystemtimePrivilege	952	WMIC.exe
Token: SeProfSingleProcessPrivilege	952	WMIC.exe
Token: SeIncBasePriorityPrivilege	952	WMIC.exe
Token: SeCreatePagefilePrivilege	952	WMIC.exe
Token: SeBackupPrivilege	952	WMIC.exe
Token: SeRestorePrivilege	952	WMIC.exe
Token: SeShutdownPrivilege	952	WMIC.exe
Token: SeDebugPrivilege	952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	952	WMIC.exe
Token: SeRemoteShutdownPrivilege	952	WMIC.exe
Token: SeUndockPrivilege	952	WMIC.exe
Token: SeManageVolumePrivilege	952	WMIC.exe
Token: 33	952	WMIC.exe
Token: 34	952	WMIC.exe
Token: 35	952	WMIC.exe
Token: SeBackupPrivilege	980	vssvc.exe
Token: SeRestorePrivilege	980	vssvc.exe
Token: SeAuditPrivilege	980	vssvc.exe
Token: SeIncreaseQuotaPrivilege	952	WMIC.exe
Token: SeSecurityPrivilege	952	WMIC.exe
Token: SeTakeOwnershipPrivilege	952	WMIC.exe
Token: SeLoadDriverPrivilege	952	WMIC.exe
Token: SeSystemProfilePrivilege	952	WMIC.exe
Token: SeSystemtimePrivilege	952	WMIC.exe
Token: SeProfSingleProcessPrivilege	952	WMIC.exe
Token: SeIncBasePriorityPrivilege	952	WMIC.exe
Token: SeCreatePagefilePrivilege	952	WMIC.exe
Token: SeBackupPrivilege	952	WMIC.exe
Token: SeRestorePrivilege	952	WMIC.exe
Token: SeShutdownPrivilege	952	WMIC.exe
Token: SeDebugPrivilege	952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	952	WMIC.exe
Token: SeRemoteShutdownPrivilege	952	WMIC.exe
Token: SeUndockPrivilege	952	WMIC.exe
Token: SeManageVolumePrivilege	952	WMIC.exe
Token: 33	952	WMIC.exe
Token: 34	952	WMIC.exe
Token: 35	952	WMIC.exe
Token: 33	1956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1956	AUDIODG.EXE
Token: 33	1956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1956	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe

Suspicious use of WriteProcessMemory 72 IoCs

Processes:

bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exeTaskHostHelper.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1668	1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe	TaskHostHelper.exe
PID 1944 wrote to memory of 1668	1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe	TaskHostHelper.exe
PID 1944 wrote to memory of 1668	1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe	TaskHostHelper.exe
PID 1944 wrote to memory of 1668	1944	bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe	TaskHostHelper.exe
PID 1668 wrote to memory of 1660	1668	TaskHostHelper.exe	mshta.exe
PID 1668 wrote to memory of 1660	1668	TaskHostHelper.exe	mshta.exe
PID 1668 wrote to memory of 1660	1668	TaskHostHelper.exe	mshta.exe
PID 1668 wrote to memory of 1660	1668	TaskHostHelper.exe	mshta.exe
PID 1668 wrote to memory of 764	1668	TaskHostHelper.exe	WScript.exe
PID 1668 wrote to memory of 764	1668	TaskHostHelper.exe	WScript.exe
PID 1668 wrote to memory of 764	1668	TaskHostHelper.exe	WScript.exe
PID 1668 wrote to memory of 764	1668	TaskHostHelper.exe	WScript.exe
PID 1668 wrote to memory of 1980	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1980	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1980	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1980	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1904	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1904	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1904	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1904	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1436	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1436	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1436	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1436	1668	TaskHostHelper.exe	cmd.exe
PID 1904 wrote to memory of 952	1904	cmd.exe	WMIC.exe
PID 1904 wrote to memory of 952	1904	cmd.exe	WMIC.exe
PID 1904 wrote to memory of 952	1904	cmd.exe	WMIC.exe
PID 1904 wrote to memory of 952	1904	cmd.exe	WMIC.exe
PID 1980 wrote to memory of 528	1980	cmd.exe	vssadmin.exe
PID 1980 wrote to memory of 528	1980	cmd.exe	vssadmin.exe
PID 1980 wrote to memory of 528	1980	cmd.exe	vssadmin.exe
PID 1980 wrote to memory of 528	1980	cmd.exe	vssadmin.exe
PID 1668 wrote to memory of 976	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 976	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 976	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 976	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1404	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1404	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1404	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1404	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1388	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1388	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1388	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 1388	1668	TaskHostHelper.exe	cmd.exe
PID 976 wrote to memory of 2064	976	cmd.exe	vssadmin.exe
PID 976 wrote to memory of 2064	976	cmd.exe	vssadmin.exe
PID 976 wrote to memory of 2064	976	cmd.exe	vssadmin.exe
PID 976 wrote to memory of 2064	976	cmd.exe	vssadmin.exe
PID 1404 wrote to memory of 2100	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 2100	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 2100	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 2100	1404	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 2160	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2160	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2160	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2160	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2172	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2172	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2172	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2172	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2200	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2200	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2200	1668	TaskHostHelper.exe	cmd.exe
PID 1668 wrote to memory of 2200	1668	TaskHostHelper.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
"C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta"
3⤵
- Modifies Internet Explorer settings
PID:1660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4F1T6LCU.vbs"
3⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
3⤵
PID:2160

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
3⤵
PID:2172

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4F1T6LCU.vbs

MD5
07641762ad9c0d4b5983babccecb071b

SHA1
84afb077fccaa75f82338c30c5d03f4b67e39c62

SHA256
c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117

SHA512
4be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe

MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe

MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
C:\Users\Admin\Desktop\READ_ME.hta

MD5
a076b2df780ea7d573ffd70ce0c603ea

SHA1
226531b08d9cdccf6de988172ed1e144b1d0be57

SHA256
6d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a

SHA512
aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd

Download Submit
\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe

MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe

MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
memory/528-26-0x0000000000000000-mapping.dmp

Download
memory/764-17-0x0000000000000000-mapping.dmp

Download
memory/952-25-0x0000000000000000-mapping.dmp

Download
memory/976-28-0x0000000000000000-mapping.dmp

Download
memory/1184-27-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1388-30-0x0000000000000000-mapping.dmp

Download
memory/1404-29-0x0000000000000000-mapping.dmp

Download
memory/1436-24-0x0000000000000000-mapping.dmp

Download
memory/1660-19-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1660-16-0x0000000000000000-mapping.dmp

Download
memory/1668-8-0x0000000000000000-mapping.dmp

Download
memory/1668-14-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1668-11-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-15-0x0000000000B05000-0x0000000000B16000-memory.dmp

Filesize
68KB

Download
memory/1668-12-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1904-20-0x0000000000000000-mapping.dmp

Download
memory/1944-5-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1944-3-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1944-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-18-0x0000000000000000-mapping.dmp

Download
memory/2064-31-0x0000000000000000-mapping.dmp

Download
memory/2100-32-0x0000000000000000-mapping.dmp

Download
memory/2160-33-0x0000000000000000-mapping.dmp

Download
memory/2172-34-0x0000000000000000-mapping.dmp

Download
memory/2200-35-0x0000000000000000-mapping.dmp

Download
memory/2224-36-0x0000000000000000-mapping.dmp

Download
memory/2264-37-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads