Analysis
-
max time kernel
51s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-02-2021 10:58
Static task
static1
Behavioral task
behavioral1
Sample
_$.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_$.exe
Resource
win10v20201028
General
-
Target
_$.exe
-
Size
50KB
-
MD5
7c93a02c3a90f915530df1acaa07fec9
-
SHA1
1353fc85e84a431d43e519c8eef3d789b2a84be5
-
SHA256
db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
-
SHA512
e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
parazite@tutanota.com
alcmalcolm@cock.li
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
0wkomrak.exeTaskHost.exepid process 1616 0wkomrak.exe 1948 TaskHost.exe -
Loads dropped DLL 1 IoCs
Processes:
0wkomrak.exepid process 1616 0wkomrak.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 3 IoCs
Processes:
TaskHost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\license.rtf.arazite TaskHost.exe File opened for modification C:\Windows\SysWOW64\license.rtf TaskHost.exe File created C:\Windows\SysWOW64\locationnotificationsview.xml TaskHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 64 IoCs
Processes:
TaskHost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.arazite TaskHost.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.arazite TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml TaskHost.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml TaskHost.exe -
Drops file in Windows directory 64 IoCs
Processes:
TaskHost.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1036\LocalizedData.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx.arazite TaskHost.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\LocalizedData.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlStateTemplate.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\LocalizedData.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallPersonalization.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\LocalizedData.xml TaskHost.exe File created C:\Windows\Fonts\fms_metadata.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallWebEventSqlProvider.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\eula.rtf.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1043\LocalizedData.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\LocalizedData.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallMembership.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchemaUpgrade.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql.arazite TaskHost.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallCommon.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\LocalizedData.xml TaskHost.exe File created C:\Windows\Web\Wallpaper\Windows\img0.jpg TaskHost.exe File created C:\Windows\info.hta TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallSqlState.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\LocalizedData.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg TaskHost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderSchema.sql TaskHost.exe File created C:\Windows\servicing\Sessions\30846299_4142642496.back.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallWebEventSqlProvider.sql.arazite TaskHost.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1444 vssadmin.exe 940 vssadmin.exe 660 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1108 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
0wkomrak.exepid process 1616 0wkomrak.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_$.exepid process 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe 1724 _$.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_$.exetaskkill.exe0wkomrak.exeTaskHost.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1724 _$.exe Token: SeDebugPrivilege 1108 taskkill.exe Token: SeDebugPrivilege 1616 0wkomrak.exe Token: SeDebugPrivilege 1948 TaskHost.exe Token: 33 1948 TaskHost.exe Token: SeIncBasePriorityPrivilege 1948 TaskHost.exe Token: SeIncreaseQuotaPrivilege 1332 WMIC.exe Token: SeSecurityPrivilege 1332 WMIC.exe Token: SeTakeOwnershipPrivilege 1332 WMIC.exe Token: SeLoadDriverPrivilege 1332 WMIC.exe Token: SeSystemProfilePrivilege 1332 WMIC.exe Token: SeSystemtimePrivilege 1332 WMIC.exe Token: SeProfSingleProcessPrivilege 1332 WMIC.exe Token: SeIncBasePriorityPrivilege 1332 WMIC.exe Token: SeCreatePagefilePrivilege 1332 WMIC.exe Token: SeBackupPrivilege 1332 WMIC.exe Token: SeRestorePrivilege 1332 WMIC.exe Token: SeShutdownPrivilege 1332 WMIC.exe Token: SeDebugPrivilege 1332 WMIC.exe Token: SeSystemEnvironmentPrivilege 1332 WMIC.exe Token: SeRemoteShutdownPrivilege 1332 WMIC.exe Token: SeUndockPrivilege 1332 WMIC.exe Token: SeManageVolumePrivilege 1332 WMIC.exe Token: 33 1332 WMIC.exe Token: 34 1332 WMIC.exe Token: 35 1332 WMIC.exe Token: SeBackupPrivilege 1228 vssvc.exe Token: SeRestorePrivilege 1228 vssvc.exe Token: SeAuditPrivilege 1228 vssvc.exe Token: SeIncreaseQuotaPrivilege 1332 WMIC.exe Token: SeSecurityPrivilege 1332 WMIC.exe Token: SeTakeOwnershipPrivilege 1332 WMIC.exe Token: SeLoadDriverPrivilege 1332 WMIC.exe Token: SeSystemProfilePrivilege 1332 WMIC.exe Token: SeSystemtimePrivilege 1332 WMIC.exe Token: SeProfSingleProcessPrivilege 1332 WMIC.exe Token: SeIncBasePriorityPrivilege 1332 WMIC.exe Token: SeCreatePagefilePrivilege 1332 WMIC.exe Token: SeBackupPrivilege 1332 WMIC.exe Token: SeRestorePrivilege 1332 WMIC.exe Token: SeShutdownPrivilege 1332 WMIC.exe Token: SeDebugPrivilege 1332 WMIC.exe Token: SeSystemEnvironmentPrivilege 1332 WMIC.exe Token: SeRemoteShutdownPrivilege 1332 WMIC.exe Token: SeUndockPrivilege 1332 WMIC.exe Token: SeManageVolumePrivilege 1332 WMIC.exe Token: 33 1332 WMIC.exe Token: 34 1332 WMIC.exe Token: 35 1332 WMIC.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemProfilePrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeProfSingleProcessPrivilege 1108 WMIC.exe Token: SeIncBasePriorityPrivilege 1108 WMIC.exe Token: SeCreatePagefilePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeRemoteShutdownPrivilege 1108 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
_$.exepid process 1724 _$.exe 1724 _$.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
_$.execmd.exe0wkomrak.execmd.exeTaskHost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1724 wrote to memory of 1900 1724 _$.exe cmstp.exe PID 1724 wrote to memory of 1900 1724 _$.exe cmstp.exe PID 1724 wrote to memory of 1900 1724 _$.exe cmstp.exe PID 1832 wrote to memory of 1616 1832 cmd.exe 0wkomrak.exe PID 1832 wrote to memory of 1616 1832 cmd.exe 0wkomrak.exe PID 1832 wrote to memory of 1616 1832 cmd.exe 0wkomrak.exe PID 1832 wrote to memory of 1616 1832 cmd.exe 0wkomrak.exe PID 1616 wrote to memory of 1948 1616 0wkomrak.exe TaskHost.exe PID 1616 wrote to memory of 1948 1616 0wkomrak.exe TaskHost.exe PID 1616 wrote to memory of 1948 1616 0wkomrak.exe TaskHost.exe PID 1616 wrote to memory of 1948 1616 0wkomrak.exe TaskHost.exe PID 1616 wrote to memory of 1624 1616 0wkomrak.exe cmd.exe PID 1616 wrote to memory of 1624 1616 0wkomrak.exe cmd.exe PID 1616 wrote to memory of 1624 1616 0wkomrak.exe cmd.exe PID 1616 wrote to memory of 1624 1616 0wkomrak.exe cmd.exe PID 1624 wrote to memory of 1444 1624 cmd.exe choice.exe PID 1624 wrote to memory of 1444 1624 cmd.exe choice.exe PID 1624 wrote to memory of 1444 1624 cmd.exe choice.exe PID 1624 wrote to memory of 1444 1624 cmd.exe choice.exe PID 1948 wrote to memory of 2012 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 2012 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 2012 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 2012 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1916 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1916 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1916 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1916 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1616 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1616 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1616 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1616 1948 TaskHost.exe cmd.exe PID 1916 wrote to memory of 1332 1916 cmd.exe WMIC.exe PID 1916 wrote to memory of 1332 1916 cmd.exe WMIC.exe PID 1916 wrote to memory of 1332 1916 cmd.exe WMIC.exe PID 1916 wrote to memory of 1332 1916 cmd.exe WMIC.exe PID 2012 wrote to memory of 1444 2012 cmd.exe vssadmin.exe PID 2012 wrote to memory of 1444 2012 cmd.exe vssadmin.exe PID 2012 wrote to memory of 1444 2012 cmd.exe vssadmin.exe PID 2012 wrote to memory of 1444 2012 cmd.exe vssadmin.exe PID 1948 wrote to memory of 1888 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1888 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1888 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1888 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1320 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1320 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1320 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1320 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1484 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1484 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1484 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1484 1948 TaskHost.exe cmd.exe PID 1888 wrote to memory of 940 1888 cmd.exe vssadmin.exe PID 1888 wrote to memory of 940 1888 cmd.exe vssadmin.exe PID 1888 wrote to memory of 940 1888 cmd.exe vssadmin.exe PID 1888 wrote to memory of 940 1888 cmd.exe vssadmin.exe PID 1320 wrote to memory of 1108 1320 cmd.exe WMIC.exe PID 1320 wrote to memory of 1108 1320 cmd.exe WMIC.exe PID 1320 wrote to memory of 1108 1320 cmd.exe WMIC.exe PID 1320 wrote to memory of 1108 1320 cmd.exe WMIC.exe PID 1948 wrote to memory of 880 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 880 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 880 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 880 1948 TaskHost.exe cmd.exe PID 1948 wrote to memory of 1440 1948 TaskHost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\_$.exe"C:\Users\Admin\AppData\Local\Temp\_$.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\bbyhmk3v.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\0wkomrak.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\0wkomrak.exeC:\Windows\temp\0wkomrak.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\TaskHost.exe"C:\Users\Admin\AppData\Roaming\TaskHost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"4⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\TaskHost.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\0wkomrak.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 14⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\TaskHost.exeMD5
a6073d31eb10aaee44fea4aa90627629
SHA14d3711bb9e4162a4651fd53ce3ac25a555ef3a7d
SHA256ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0
SHA512081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663
-
C:\Users\Admin\AppData\Roaming\TaskHost.exeMD5
a6073d31eb10aaee44fea4aa90627629
SHA14d3711bb9e4162a4651fd53ce3ac25a555ef3a7d
SHA256ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0
SHA512081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663
-
C:\Users\Admin\Desktop\info.htaMD5
35cbcf33bf56364628ffb0344e81fc00
SHA11491300d8dabcf13c45891fc87428ae9bb0df166
SHA2569814206bbd33890cb228f526da938dd03cbcf018c7c4ad665e6dd85e21bc3e4d
SHA512016385ae00114d39d6ff6f990b8cf33e8fe091cff012ccf673d54f57bdfe5714c7ee443559294846b79c1f746b4834949e7497f25bb85ed4e565b0667d12ad99
-
C:\Windows\Temp\0wkomrak.exeMD5
91ebd9edc1322c6200bef620dea7dde6
SHA1adb5d32b4d03db0f39d2fb5be5769393099cc1fc
SHA2566a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597
SHA512d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd
-
C:\Windows\temp\0wkomrak.exeMD5
91ebd9edc1322c6200bef620dea7dde6
SHA1adb5d32b4d03db0f39d2fb5be5769393099cc1fc
SHA2566a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597
SHA512d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd
-
C:\Windows\temp\bbyhmk3v.infMD5
186de1fc4f5b0c58fd8b25f0730339d1
SHA18fa2559eaa827130790e3d5811861772ae42e43a
SHA2567609536365498816c0d6dfa37976ca86ef4298f21cf08b8cfbb088dad1f34207
SHA51289479e93fe762705707d2f2ba2440d815aeb8cbac472b4d93c296884d47815ae6c118db526c2f3ca68e493aec5980df475464ae3ececb89e0fa1c75444fcf1c3
-
\Users\Admin\AppData\Roaming\TaskHost.exeMD5
a6073d31eb10aaee44fea4aa90627629
SHA14d3711bb9e4162a4651fd53ce3ac25a555ef3a7d
SHA256ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0
SHA512081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663
-
memory/660-59-0x0000000000000000-mapping.dmp
-
memory/880-56-0x0000000000000000-mapping.dmp
-
memory/884-63-0x0000000000000000-mapping.dmp
-
memory/940-54-0x0000000000000000-mapping.dmp
-
memory/1064-62-0x0000000000000000-mapping.dmp
-
memory/1108-55-0x0000000000000000-mapping.dmp
-
memory/1172-60-0x0000000000000000-mapping.dmp
-
memory/1320-52-0x0000000000000000-mapping.dmp
-
memory/1332-49-0x0000000000000000-mapping.dmp
-
memory/1440-57-0x0000000000000000-mapping.dmp
-
memory/1444-50-0x0000000000000000-mapping.dmp
-
memory/1444-44-0x0000000000000000-mapping.dmp
-
memory/1484-53-0x0000000000000000-mapping.dmp
-
memory/1616-32-0x0000000074D20000-0x000000007540E000-memory.dmpFilesize
6.9MB
-
memory/1616-33-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/1616-35-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1616-29-0x0000000000000000-mapping.dmp
-
memory/1616-48-0x0000000000000000-mapping.dmp
-
memory/1624-43-0x0000000000000000-mapping.dmp
-
memory/1724-22-0x000000001AD8C000-0x000000001AD8D000-memory.dmpFilesize
4KB
-
memory/1724-19-0x000000001AD88000-0x000000001AD89000-memory.dmpFilesize
4KB
-
memory/1724-3-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/1724-16-0x000000001AD85000-0x000000001AD86000-memory.dmpFilesize
4KB
-
memory/1724-11-0x000000001AD8B000-0x000000001AD8C000-memory.dmpFilesize
4KB
-
memory/1724-14-0x000000001AD66000-0x000000001AD85000-memory.dmpFilesize
124KB
-
memory/1724-31-0x000000001AD8D000-0x000000001AD8E000-memory.dmpFilesize
4KB
-
memory/1724-10-0x000000001AD60000-0x000000001AD62000-memory.dmpFilesize
8KB
-
memory/1724-17-0x000000001AD86000-0x000000001AD87000-memory.dmpFilesize
4KB
-
memory/1724-2-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmpFilesize
9.9MB
-
memory/1724-21-0x000000001AD8A000-0x000000001AD8B000-memory.dmpFilesize
4KB
-
memory/1724-18-0x000000001AD87000-0x000000001AD88000-memory.dmpFilesize
4KB
-
memory/1724-20-0x000000001AD89000-0x000000001AD8A000-memory.dmpFilesize
4KB
-
memory/1888-51-0x0000000000000000-mapping.dmp
-
memory/1892-61-0x0000000000000000-mapping.dmp
-
memory/1900-7-0x000007FEFC601000-0x000007FEFC603000-memory.dmpFilesize
8KB
-
memory/1900-5-0x0000000000000000-mapping.dmp
-
memory/1916-47-0x0000000000000000-mapping.dmp
-
memory/1920-58-0x0000000000000000-mapping.dmp
-
memory/1948-41-0x00000000013A0000-0x00000000013A1000-memory.dmpFilesize
4KB
-
memory/1948-37-0x0000000000000000-mapping.dmp
-
memory/1948-45-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/1948-40-0x0000000074D20000-0x000000007540E000-memory.dmpFilesize
6.9MB
-
memory/1960-65-0x000007FEF5DF0000-0x000007FEF606A000-memory.dmpFilesize
2.5MB
-
memory/2012-46-0x0000000000000000-mapping.dmp