Analysis
-
max time kernel
95s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13/02/2021, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
_$.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
_$.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
_$.exe
-
Size
50KB
-
MD5
7c93a02c3a90f915530df1acaa07fec9
-
SHA1
1353fc85e84a431d43e519c8eef3d789b2a84be5
-
SHA256
db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
-
SHA512
e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\info.hta
Ransom Note
🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒
Your computer is infected with a virus.
Send an email [email protected] , specify in the subject your unique identifier ESM8IZN6 and you will definitly be helped to recover.
NOTE:
You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA.
IMPORTANT:
1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 584 z4calwqf.exe 1324 TaskHost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\SwitchProtect.png.arazite TaskHost.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.png.arazite => C:\Users\Admin\Pictures\SwitchProtect.png.arazite TaskHost.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.arazite TaskHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\@AudioToastIcon.png TaskHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main-selector.css TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.arazite TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogo.png TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoCanary.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png.arazite TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main.css TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.arazite TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png.arazite TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\README.html TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png TaskHost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png TaskHost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk TaskHost.exe File created C:\Windows\InfusedApps\Applications\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx TaskHost.exe File opened for modification C:\Windows\Professional.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx.arazite TaskHost.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlStateTemplate.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx.arazite TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk.arazite TaskHost.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml.arazite TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallMembership.sql TaskHost.exe File opened for modification C:\Windows\Panther\diagerr.xml.arazite TaskHost.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk.arazite TaskHost.exe File created C:\Windows\InfusedApps\Applications\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c\AppxBlockMap.xml TaskHost.exe File created C:\Windows\Performance\WinSAT\Clip_1080_5sec_10mbps_h264.mp4 TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersonalization.sql TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx.arazite TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx TaskHost.exe File opened for modification C:\Windows\Panther\diagwrn.xml TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk.arazite TaskHost.exe File created C:\Windows\info.hta TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\error.aspx.arazite TaskHost.exe File created C:\Windows\InfusedApps\Applications\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk TaskHost.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 356 vssadmin.exe 2052 vssadmin.exe 976 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 4092 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings TaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 812 _$.exe Token: SeDebugPrivilege 4092 taskkill.exe Token: SeDebugPrivilege 584 z4calwqf.exe Token: SeDebugPrivilege 1324 TaskHost.exe Token: 33 1324 TaskHost.exe Token: SeIncBasePriorityPrivilege 1324 TaskHost.exe Token: SeIncreaseQuotaPrivilege 3820 WMIC.exe Token: SeSecurityPrivilege 3820 WMIC.exe Token: SeTakeOwnershipPrivilege 3820 WMIC.exe Token: SeLoadDriverPrivilege 3820 WMIC.exe Token: SeSystemProfilePrivilege 3820 WMIC.exe Token: SeSystemtimePrivilege 3820 WMIC.exe Token: SeProfSingleProcessPrivilege 3820 WMIC.exe Token: SeIncBasePriorityPrivilege 3820 WMIC.exe Token: SeCreatePagefilePrivilege 3820 WMIC.exe Token: SeBackupPrivilege 3820 WMIC.exe Token: SeRestorePrivilege 3820 WMIC.exe Token: SeShutdownPrivilege 3820 WMIC.exe Token: SeDebugPrivilege 3820 WMIC.exe Token: SeSystemEnvironmentPrivilege 3820 WMIC.exe Token: SeRemoteShutdownPrivilege 3820 WMIC.exe Token: SeUndockPrivilege 3820 WMIC.exe Token: SeManageVolumePrivilege 3820 WMIC.exe Token: 33 3820 WMIC.exe Token: 34 3820 WMIC.exe Token: 35 3820 WMIC.exe Token: 36 3820 WMIC.exe Token: SeBackupPrivilege 1008 vssvc.exe Token: SeRestorePrivilege 1008 vssvc.exe Token: SeAuditPrivilege 1008 vssvc.exe Token: SeIncreaseQuotaPrivilege 3820 WMIC.exe Token: SeSecurityPrivilege 3820 WMIC.exe Token: SeTakeOwnershipPrivilege 3820 WMIC.exe Token: SeLoadDriverPrivilege 3820 WMIC.exe Token: SeSystemProfilePrivilege 3820 WMIC.exe Token: SeSystemtimePrivilege 3820 WMIC.exe Token: SeProfSingleProcessPrivilege 3820 WMIC.exe Token: SeIncBasePriorityPrivilege 3820 WMIC.exe Token: SeCreatePagefilePrivilege 3820 WMIC.exe Token: SeBackupPrivilege 3820 WMIC.exe Token: SeRestorePrivilege 3820 WMIC.exe Token: SeShutdownPrivilege 3820 WMIC.exe Token: SeDebugPrivilege 3820 WMIC.exe Token: SeSystemEnvironmentPrivilege 3820 WMIC.exe Token: SeRemoteShutdownPrivilege 3820 WMIC.exe Token: SeUndockPrivilege 3820 WMIC.exe Token: SeManageVolumePrivilege 3820 WMIC.exe Token: 33 3820 WMIC.exe Token: 34 3820 WMIC.exe Token: 35 3820 WMIC.exe Token: 36 3820 WMIC.exe Token: SeIncreaseQuotaPrivilege 2572 WMIC.exe Token: SeSecurityPrivilege 2572 WMIC.exe Token: SeTakeOwnershipPrivilege 2572 WMIC.exe Token: SeLoadDriverPrivilege 2572 WMIC.exe Token: SeSystemProfilePrivilege 2572 WMIC.exe Token: SeSystemtimePrivilege 2572 WMIC.exe Token: SeProfSingleProcessPrivilege 2572 WMIC.exe Token: SeIncBasePriorityPrivilege 2572 WMIC.exe Token: SeCreatePagefilePrivilege 2572 WMIC.exe Token: SeBackupPrivilege 2572 WMIC.exe Token: SeRestorePrivilege 2572 WMIC.exe Token: SeShutdownPrivilege 2572 WMIC.exe Token: SeDebugPrivilege 2572 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 812 _$.exe 812 _$.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 3780 812 _$.exe 74 PID 812 wrote to memory of 3780 812 _$.exe 74 PID 2916 wrote to memory of 584 2916 cmd.exe 79 PID 2916 wrote to memory of 584 2916 cmd.exe 79 PID 2916 wrote to memory of 584 2916 cmd.exe 79 PID 584 wrote to memory of 1324 584 z4calwqf.exe 83 PID 584 wrote to memory of 1324 584 z4calwqf.exe 83 PID 584 wrote to memory of 1324 584 z4calwqf.exe 83 PID 584 wrote to memory of 1376 584 z4calwqf.exe 84 PID 584 wrote to memory of 1376 584 z4calwqf.exe 84 PID 584 wrote to memory of 1376 584 z4calwqf.exe 84 PID 1376 wrote to memory of 3948 1376 cmd.exe 86 PID 1376 wrote to memory of 3948 1376 cmd.exe 86 PID 1376 wrote to memory of 3948 1376 cmd.exe 86 PID 1324 wrote to memory of 3768 1324 TaskHost.exe 94 PID 1324 wrote to memory of 3768 1324 TaskHost.exe 94 PID 1324 wrote to memory of 3768 1324 TaskHost.exe 94 PID 1324 wrote to memory of 2344 1324 TaskHost.exe 96 PID 1324 wrote to memory of 2344 1324 TaskHost.exe 96 PID 1324 wrote to memory of 2344 1324 TaskHost.exe 96 PID 1324 wrote to memory of 3992 1324 TaskHost.exe 97 PID 1324 wrote to memory of 3992 1324 TaskHost.exe 97 PID 1324 wrote to memory of 3992 1324 TaskHost.exe 97 PID 3768 wrote to memory of 356 3768 cmd.exe 100 PID 3768 wrote to memory of 356 3768 cmd.exe 100 PID 3768 wrote to memory of 356 3768 cmd.exe 100 PID 2344 wrote to memory of 3820 2344 cmd.exe 101 PID 2344 wrote to memory of 3820 2344 cmd.exe 101 PID 2344 wrote to memory of 3820 2344 cmd.exe 101 PID 1324 wrote to memory of 2336 1324 TaskHost.exe 104 PID 1324 wrote to memory of 2336 1324 TaskHost.exe 104 PID 1324 wrote to memory of 2336 1324 TaskHost.exe 104 PID 1324 wrote to memory of 3392 1324 TaskHost.exe 105 PID 1324 wrote to memory of 3392 1324 TaskHost.exe 105 PID 1324 wrote to memory of 3392 1324 TaskHost.exe 105 PID 1324 wrote to memory of 3508 1324 TaskHost.exe 107 PID 1324 wrote to memory of 3508 1324 TaskHost.exe 107 PID 1324 wrote to memory of 3508 1324 TaskHost.exe 107 PID 2336 wrote to memory of 2052 2336 cmd.exe 110 PID 2336 wrote to memory of 2052 2336 cmd.exe 110 PID 2336 wrote to memory of 2052 2336 cmd.exe 110 PID 3392 wrote to memory of 2572 3392 cmd.exe 111 PID 3392 wrote to memory of 2572 3392 cmd.exe 111 PID 3392 wrote to memory of 2572 3392 cmd.exe 111 PID 1324 wrote to memory of 3488 1324 TaskHost.exe 112 PID 1324 wrote to memory of 3488 1324 TaskHost.exe 112 PID 1324 wrote to memory of 3488 1324 TaskHost.exe 112 PID 1324 wrote to memory of 3252 1324 TaskHost.exe 117 PID 1324 wrote to memory of 3252 1324 TaskHost.exe 117 PID 1324 wrote to memory of 3252 1324 TaskHost.exe 117 PID 1324 wrote to memory of 3832 1324 TaskHost.exe 114 PID 1324 wrote to memory of 3832 1324 TaskHost.exe 114 PID 1324 wrote to memory of 3832 1324 TaskHost.exe 114 PID 1324 wrote to memory of 1068 1324 TaskHost.exe 118 PID 1324 wrote to memory of 1068 1324 TaskHost.exe 118 PID 1324 wrote to memory of 1068 1324 TaskHost.exe 118 PID 3252 wrote to memory of 3840 3252 cmd.exe 119 PID 3252 wrote to memory of 3840 3252 cmd.exe 119 PID 3252 wrote to memory of 3840 3252 cmd.exe 119 PID 3488 wrote to memory of 976 3488 cmd.exe 120 PID 3488 wrote to memory of 976 3488 cmd.exe 120 PID 3488 wrote to memory of 976 3488 cmd.exe 120 PID 1324 wrote to memory of 3836 1324 TaskHost.exe 121 PID 1324 wrote to memory of 3836 1324 TaskHost.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\_$.exe"C:\Users\Admin\AppData\Local\Temp\_$.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\30zrxhkv.inf2⤵PID:3780
-
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\z4calwqf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\temp\z4calwqf.exeC:\Windows\temp\z4calwqf.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Roaming\TaskHost.exe"C:\Users\Admin\AppData\Roaming\TaskHost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:3992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:3508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:976
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:3832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:3840
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:1068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\TaskHost.exe"4⤵PID:3836
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 15⤵PID:1352
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\z4calwqf.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 14⤵PID:3948
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008