4c7a879639151a8b87a1476f65f88a959b9afbaebd179665f0da955e447b534d

Analysis

max time kernel
51s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
13/02/2021, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_$.exe
Size

50KB
MD5

7c93a02c3a90f915530df1acaa07fec9
SHA1

1353fc85e84a431d43e519c8eef3d789b2a84be5
SHA256

db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
SHA512

e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email [email protected] , specify in the subject your unique identifier B7TTYMZA and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1616	0wkomrak.exe
1948	TaskHost.exe

Loads dropped DLL 1 IoCs

pid	Process
1616	0wkomrak.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\license.rtf.arazite	TaskHost.exe
File opened for modification	C:\Windows\SysWOW64\license.rtf	TaskHost.exe
File created	C:\Windows\SysWOW64\locationnotificationsview.xml	TaskHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.arazite	TaskHost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.arazite	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	TaskHost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1036\LocalizedData.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx.arazite	TaskHost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\LocalizedData.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlStateTemplate.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\LocalizedData.xml	TaskHost.exe
File created	C:\Windows\Fonts\fms_metadata.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallWebEventSqlProvider.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\eula.rtf.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1043\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallMembership.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchemaUpgrade.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallCommon.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\LocalizedData.xml	TaskHost.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	TaskHost.exe
File created	C:\Windows\info.hta	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallSqlState.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg	TaskHost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderSchema.sql	TaskHost.exe
File created	C:\Windows\servicing\Sessions\30846299_4142642496.back.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallWebEventSqlProvider.sql.arazite	TaskHost.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1444	vssadmin.exe
940	vssadmin.exe
660	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1108	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1616	0wkomrak.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	_$.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1616	0wkomrak.exe
Token: SeDebugPrivilege	1948	TaskHost.exe
Token: 33	1948	TaskHost.exe
Token: SeIncBasePriorityPrivilege	1948	TaskHost.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe
Token: 34	1332	WMIC.exe
Token: 35	1332	WMIC.exe
Token: SeBackupPrivilege	1228	vssvc.exe
Token: SeRestorePrivilege	1228	vssvc.exe
Token: SeAuditPrivilege	1228	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe
Token: 34	1332	WMIC.exe
Token: 35	1332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	_$.exe
1724	_$.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1900	1724	_$.exe	26
PID 1724 wrote to memory of 1900	1724	_$.exe	26
PID 1724 wrote to memory of 1900	1724	_$.exe	26
PID 1832 wrote to memory of 1616	1832	cmd.exe	30
PID 1832 wrote to memory of 1616	1832	cmd.exe	30
PID 1832 wrote to memory of 1616	1832	cmd.exe	30
PID 1832 wrote to memory of 1616	1832	cmd.exe	30
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	38
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	38
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	38
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	38
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	39
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	39
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	39
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	39
PID 1624 wrote to memory of 1444	1624	cmd.exe	41
PID 1624 wrote to memory of 1444	1624	cmd.exe	41
PID 1624 wrote to memory of 1444	1624	cmd.exe	41
PID 1624 wrote to memory of 1444	1624	cmd.exe	41
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	45
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	45
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	45
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	45
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	47
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	47
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	47
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	47
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	49
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	49
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	49
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	49
PID 1916 wrote to memory of 1332	1916	cmd.exe	51
PID 1916 wrote to memory of 1332	1916	cmd.exe	51
PID 1916 wrote to memory of 1332	1916	cmd.exe	51
PID 1916 wrote to memory of 1332	1916	cmd.exe	51
PID 2012 wrote to memory of 1444	2012	cmd.exe	52
PID 2012 wrote to memory of 1444	2012	cmd.exe	52
PID 2012 wrote to memory of 1444	2012	cmd.exe	52
PID 2012 wrote to memory of 1444	2012	cmd.exe	52
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	55
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	55
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	55
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	55
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	57
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	57
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	57
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	57
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	59
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	59
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	59
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	59
PID 1888 wrote to memory of 940	1888	cmd.exe	60
PID 1888 wrote to memory of 940	1888	cmd.exe	60
PID 1888 wrote to memory of 940	1888	cmd.exe	60
PID 1888 wrote to memory of 940	1888	cmd.exe	60
PID 1320 wrote to memory of 1108	1320	cmd.exe	62
PID 1320 wrote to memory of 1108	1320	cmd.exe	62
PID 1320 wrote to memory of 1108	1320	cmd.exe	62
PID 1320 wrote to memory of 1108	1320	cmd.exe	62
PID 1948 wrote to memory of 880	1948	TaskHost.exe	63
PID 1948 wrote to memory of 880	1948	TaskHost.exe	63
PID 1948 wrote to memory of 880	1948	TaskHost.exe	63
PID 1948 wrote to memory of 880	1948	TaskHost.exe	63
PID 1948 wrote to memory of 1440	1948	TaskHost.exe	65

C:\Users\Admin\AppData\Local\Temp\_$.exe
"C:\Users\Admin\AppData\Local\Temp\_$.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\bbyhmk3v.inf
  2⤵
  PID:1900

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\0wkomrak.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\temp\0wkomrak.exe
  C:\Windows\temp\0wkomrak.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Roaming\TaskHost.exe
    "C:\Users\Admin\AppData\Roaming\TaskHost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
      4⤵
      PID:880
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
      4⤵
      Modifies Internet Explorer settings
      PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\TaskHost.exe"
      4⤵
      PID:1064
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 1
        5⤵
        
        PID:884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\0wkomrak.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:1444

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-32-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-33-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1616-35-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1724-22-0x000000001AD8C000-0x000000001AD8D000-memory.dmp

Filesize
4KB

Download
memory/1724-19-0x000000001AD88000-0x000000001AD89000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1724-16-0x000000001AD85000-0x000000001AD86000-memory.dmp

Filesize
4KB

Download
memory/1724-11-0x000000001AD8B000-0x000000001AD8C000-memory.dmp

Filesize
4KB

Download
memory/1724-14-0x000000001AD66000-0x000000001AD85000-memory.dmp

Filesize
124KB

Download
memory/1724-31-0x000000001AD8D000-0x000000001AD8E000-memory.dmp

Filesize
4KB

Download
memory/1724-10-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/1724-17-0x000000001AD86000-0x000000001AD87000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-21-0x000000001AD8A000-0x000000001AD8B000-memory.dmp

Filesize
4KB

Download
memory/1724-18-0x000000001AD87000-0x000000001AD88000-memory.dmp

Filesize
4KB

Download
memory/1724-20-0x000000001AD89000-0x000000001AD8A000-memory.dmp

Filesize
4KB

Download
memory/1900-7-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

Filesize
8KB

Download
memory/1948-41-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/1948-45-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1948-40-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-65-0x000007FEF5DF0000-0x000007FEF606A000-memory.dmp

Filesize
2.5MB

Download