Analysis
-
max time kernel
95s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 10:58
Static task
static1
Behavioral task
behavioral1
Sample
_$.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_$.exe
Resource
win10v20201028
General
-
Target
_$.exe
-
Size
50KB
-
MD5
7c93a02c3a90f915530df1acaa07fec9
-
SHA1
1353fc85e84a431d43e519c8eef3d789b2a84be5
-
SHA256
db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
-
SHA512
e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
parazite@tutanota.com
alcmalcolm@cock.li
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
z4calwqf.exeTaskHost.exepid process 584 z4calwqf.exe 1324 TaskHost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
TaskHost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SwitchProtect.png.arazite TaskHost.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.png.arazite => C:\Users\Admin\Pictures\SwitchProtect.png.arazite TaskHost.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.arazite TaskHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
Processes:
TaskHost.exedescription ioc process File created C:\Windows\SysWOW64\@AudioToastIcon.png TaskHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 64 IoCs
Processes:
TaskHost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main-selector.css TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.arazite TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogo.png TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoCanary.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png.arazite TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main.css TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@3x.png.arazite TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent@3x.png TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png.arazite TaskHost.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt TaskHost.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.arazite TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png.arazite TaskHost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.arazite TaskHost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\README.html TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png TaskHost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.arazite TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.arazite TaskHost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png TaskHost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png TaskHost.exe -
Drops file in Windows directory 64 IoCs
Processes:
TaskHost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk TaskHost.exe File created C:\Windows\InfusedApps\Applications\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx TaskHost.exe File opened for modification C:\Windows\Professional.xml.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx.arazite TaskHost.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlStateTemplate.sql.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx.arazite TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk.arazite TaskHost.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml.arazite TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallMembership.sql TaskHost.exe File opened for modification C:\Windows\Panther\diagerr.xml.arazite TaskHost.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk.arazite TaskHost.exe File created C:\Windows\InfusedApps\Applications\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c\AppxBlockMap.xml TaskHost.exe File created C:\Windows\Performance\WinSAT\Clip_1080_5sec_10mbps_h264.mp4 TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk.arazite TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersonalization.sql TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx.arazite TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk.arazite TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx TaskHost.exe File opened for modification C:\Windows\Panther\diagwrn.xml TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk.arazite TaskHost.exe File created C:\Windows\info.hta TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\error.aspx.arazite TaskHost.exe File created C:\Windows\InfusedApps\Applications\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml TaskHost.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx TaskHost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx TaskHost.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk TaskHost.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 356 vssadmin.exe 2052 vssadmin.exe 976 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4092 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
TaskHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings TaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_$.exepid process 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe 812 _$.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_$.exetaskkill.exez4calwqf.exeTaskHost.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 812 _$.exe Token: SeDebugPrivilege 4092 taskkill.exe Token: SeDebugPrivilege 584 z4calwqf.exe Token: SeDebugPrivilege 1324 TaskHost.exe Token: 33 1324 TaskHost.exe Token: SeIncBasePriorityPrivilege 1324 TaskHost.exe Token: SeIncreaseQuotaPrivilege 3820 WMIC.exe Token: SeSecurityPrivilege 3820 WMIC.exe Token: SeTakeOwnershipPrivilege 3820 WMIC.exe Token: SeLoadDriverPrivilege 3820 WMIC.exe Token: SeSystemProfilePrivilege 3820 WMIC.exe Token: SeSystemtimePrivilege 3820 WMIC.exe Token: SeProfSingleProcessPrivilege 3820 WMIC.exe Token: SeIncBasePriorityPrivilege 3820 WMIC.exe Token: SeCreatePagefilePrivilege 3820 WMIC.exe Token: SeBackupPrivilege 3820 WMIC.exe Token: SeRestorePrivilege 3820 WMIC.exe Token: SeShutdownPrivilege 3820 WMIC.exe Token: SeDebugPrivilege 3820 WMIC.exe Token: SeSystemEnvironmentPrivilege 3820 WMIC.exe Token: SeRemoteShutdownPrivilege 3820 WMIC.exe Token: SeUndockPrivilege 3820 WMIC.exe Token: SeManageVolumePrivilege 3820 WMIC.exe Token: 33 3820 WMIC.exe Token: 34 3820 WMIC.exe Token: 35 3820 WMIC.exe Token: 36 3820 WMIC.exe Token: SeBackupPrivilege 1008 vssvc.exe Token: SeRestorePrivilege 1008 vssvc.exe Token: SeAuditPrivilege 1008 vssvc.exe Token: SeIncreaseQuotaPrivilege 3820 WMIC.exe Token: SeSecurityPrivilege 3820 WMIC.exe Token: SeTakeOwnershipPrivilege 3820 WMIC.exe Token: SeLoadDriverPrivilege 3820 WMIC.exe Token: SeSystemProfilePrivilege 3820 WMIC.exe Token: SeSystemtimePrivilege 3820 WMIC.exe Token: SeProfSingleProcessPrivilege 3820 WMIC.exe Token: SeIncBasePriorityPrivilege 3820 WMIC.exe Token: SeCreatePagefilePrivilege 3820 WMIC.exe Token: SeBackupPrivilege 3820 WMIC.exe Token: SeRestorePrivilege 3820 WMIC.exe Token: SeShutdownPrivilege 3820 WMIC.exe Token: SeDebugPrivilege 3820 WMIC.exe Token: SeSystemEnvironmentPrivilege 3820 WMIC.exe Token: SeRemoteShutdownPrivilege 3820 WMIC.exe Token: SeUndockPrivilege 3820 WMIC.exe Token: SeManageVolumePrivilege 3820 WMIC.exe Token: 33 3820 WMIC.exe Token: 34 3820 WMIC.exe Token: 35 3820 WMIC.exe Token: 36 3820 WMIC.exe Token: SeIncreaseQuotaPrivilege 2572 WMIC.exe Token: SeSecurityPrivilege 2572 WMIC.exe Token: SeTakeOwnershipPrivilege 2572 WMIC.exe Token: SeLoadDriverPrivilege 2572 WMIC.exe Token: SeSystemProfilePrivilege 2572 WMIC.exe Token: SeSystemtimePrivilege 2572 WMIC.exe Token: SeProfSingleProcessPrivilege 2572 WMIC.exe Token: SeIncBasePriorityPrivilege 2572 WMIC.exe Token: SeCreatePagefilePrivilege 2572 WMIC.exe Token: SeBackupPrivilege 2572 WMIC.exe Token: SeRestorePrivilege 2572 WMIC.exe Token: SeShutdownPrivilege 2572 WMIC.exe Token: SeDebugPrivilege 2572 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
_$.exepid process 812 _$.exe 812 _$.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
_$.execmd.exez4calwqf.execmd.exeTaskHost.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 812 wrote to memory of 3780 812 _$.exe cmstp.exe PID 812 wrote to memory of 3780 812 _$.exe cmstp.exe PID 2916 wrote to memory of 584 2916 cmd.exe z4calwqf.exe PID 2916 wrote to memory of 584 2916 cmd.exe z4calwqf.exe PID 2916 wrote to memory of 584 2916 cmd.exe z4calwqf.exe PID 584 wrote to memory of 1324 584 z4calwqf.exe TaskHost.exe PID 584 wrote to memory of 1324 584 z4calwqf.exe TaskHost.exe PID 584 wrote to memory of 1324 584 z4calwqf.exe TaskHost.exe PID 584 wrote to memory of 1376 584 z4calwqf.exe cmd.exe PID 584 wrote to memory of 1376 584 z4calwqf.exe cmd.exe PID 584 wrote to memory of 1376 584 z4calwqf.exe cmd.exe PID 1376 wrote to memory of 3948 1376 cmd.exe choice.exe PID 1376 wrote to memory of 3948 1376 cmd.exe choice.exe PID 1376 wrote to memory of 3948 1376 cmd.exe choice.exe PID 1324 wrote to memory of 3768 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3768 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3768 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 2344 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 2344 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 2344 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3992 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3992 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3992 1324 TaskHost.exe cmd.exe PID 3768 wrote to memory of 356 3768 cmd.exe vssadmin.exe PID 3768 wrote to memory of 356 3768 cmd.exe vssadmin.exe PID 3768 wrote to memory of 356 3768 cmd.exe vssadmin.exe PID 2344 wrote to memory of 3820 2344 cmd.exe WMIC.exe PID 2344 wrote to memory of 3820 2344 cmd.exe WMIC.exe PID 2344 wrote to memory of 3820 2344 cmd.exe WMIC.exe PID 1324 wrote to memory of 2336 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 2336 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 2336 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3392 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3392 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3392 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3508 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3508 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3508 1324 TaskHost.exe cmd.exe PID 2336 wrote to memory of 2052 2336 cmd.exe vssadmin.exe PID 2336 wrote to memory of 2052 2336 cmd.exe vssadmin.exe PID 2336 wrote to memory of 2052 2336 cmd.exe vssadmin.exe PID 3392 wrote to memory of 2572 3392 cmd.exe WMIC.exe PID 3392 wrote to memory of 2572 3392 cmd.exe WMIC.exe PID 3392 wrote to memory of 2572 3392 cmd.exe WMIC.exe PID 1324 wrote to memory of 3488 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3488 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3488 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3252 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3252 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3252 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3832 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3832 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3832 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 1068 1324 TaskHost.exe mshta.exe PID 1324 wrote to memory of 1068 1324 TaskHost.exe mshta.exe PID 1324 wrote to memory of 1068 1324 TaskHost.exe mshta.exe PID 3252 wrote to memory of 3840 3252 cmd.exe WMIC.exe PID 3252 wrote to memory of 3840 3252 cmd.exe WMIC.exe PID 3252 wrote to memory of 3840 3252 cmd.exe WMIC.exe PID 3488 wrote to memory of 976 3488 cmd.exe vssadmin.exe PID 3488 wrote to memory of 976 3488 cmd.exe vssadmin.exe PID 3488 wrote to memory of 976 3488 cmd.exe vssadmin.exe PID 1324 wrote to memory of 3836 1324 TaskHost.exe cmd.exe PID 1324 wrote to memory of 3836 1324 TaskHost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\_$.exe"C:\Users\Admin\AppData\Local\Temp\_$.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\30zrxhkv.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\z4calwqf.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\z4calwqf.exeC:\Windows\temp\z4calwqf.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\TaskHost.exe"C:\Users\Admin\AppData\Roaming\TaskHost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\TaskHost.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\z4calwqf.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 14⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\TaskHost.exeMD5
a6073d31eb10aaee44fea4aa90627629
SHA14d3711bb9e4162a4651fd53ce3ac25a555ef3a7d
SHA256ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0
SHA512081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663
-
C:\Users\Admin\AppData\Roaming\TaskHost.exeMD5
a6073d31eb10aaee44fea4aa90627629
SHA14d3711bb9e4162a4651fd53ce3ac25a555ef3a7d
SHA256ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0
SHA512081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663
-
C:\Users\Admin\Desktop\info.htaMD5
a0e158a308a89132c4aad305e27f0784
SHA1cf334bf9d01dcff9412d249b4aafad911fc15028
SHA256638b0f9ee2dde8f74316b5b5dced64828d056b8944e8cac3a88921576458589d
SHA5121d959f9ed6b048084134ce615bab3ecb4429c906ecd25dec8c2e50fb26270bceabe79039593179a7e91a0d50bb41fb6ac691fe4ab49a00573a02f9f712e7f775
-
C:\Windows\Temp\z4calwqf.exeMD5
91ebd9edc1322c6200bef620dea7dde6
SHA1adb5d32b4d03db0f39d2fb5be5769393099cc1fc
SHA2566a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597
SHA512d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd
-
C:\Windows\temp\30zrxhkv.infMD5
c5a5f3714941a6b4f42acb87dc40f6d2
SHA17bbce16eee198ad265b76b6ce98a6b3389170d40
SHA2560ead4918e97fcf67eff46e4e5f599b1f32cbe73f2ba9352c51e56635f358e2b0
SHA51228e5042ba9418941d7c20e63073957fb7116cee83bb89a4581b62b8f9d3177b406b122f37779ac95bb1c8f5e6e3a1541c3089c10e4bb428fb90658d44a47a738
-
C:\Windows\temp\z4calwqf.exeMD5
91ebd9edc1322c6200bef620dea7dde6
SHA1adb5d32b4d03db0f39d2fb5be5769393099cc1fc
SHA2566a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597
SHA512d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd
-
memory/356-40-0x0000000000000000-mapping.dmp
-
memory/584-19-0x0000000000000000-mapping.dmp
-
memory/584-23-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/584-22-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/812-17-0x000000001AF34000-0x000000001AF36000-memory.dmpFilesize
8KB
-
memory/812-16-0x000000001AF32000-0x000000001AF34000-memory.dmpFilesize
8KB
-
memory/812-15-0x000000001AF30000-0x000000001AF32000-memory.dmpFilesize
8KB
-
memory/812-2-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmpFilesize
9.9MB
-
memory/812-3-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/976-52-0x0000000000000000-mapping.dmp
-
memory/1068-50-0x0000000000000000-mapping.dmp
-
memory/1324-33-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1324-36-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/1324-29-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/1324-31-0x0000000005D50000-0x0000000005D51000-memory.dmpFilesize
4KB
-
memory/1324-28-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/1324-25-0x0000000000000000-mapping.dmp
-
memory/1324-35-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/1352-54-0x0000000000000000-mapping.dmp
-
memory/1376-32-0x0000000000000000-mapping.dmp
-
memory/2052-45-0x0000000000000000-mapping.dmp
-
memory/2336-42-0x0000000000000000-mapping.dmp
-
memory/2344-38-0x0000000000000000-mapping.dmp
-
memory/2572-46-0x0000000000000000-mapping.dmp
-
memory/3252-48-0x0000000000000000-mapping.dmp
-
memory/3392-43-0x0000000000000000-mapping.dmp
-
memory/3488-47-0x0000000000000000-mapping.dmp
-
memory/3508-44-0x0000000000000000-mapping.dmp
-
memory/3768-37-0x0000000000000000-mapping.dmp
-
memory/3780-9-0x00000217F8610000-0x00000217F8611000-memory.dmpFilesize
4KB
-
memory/3780-12-0x00000217F8670000-0x00000217F8671000-memory.dmpFilesize
4KB
-
memory/3780-7-0x00000217F8610000-0x00000217F8611000-memory.dmpFilesize
4KB
-
memory/3780-5-0x0000000000000000-mapping.dmp
-
memory/3820-41-0x0000000000000000-mapping.dmp
-
memory/3832-49-0x0000000000000000-mapping.dmp
-
memory/3836-53-0x0000000000000000-mapping.dmp
-
memory/3840-51-0x0000000000000000-mapping.dmp
-
memory/3948-34-0x0000000000000000-mapping.dmp
-
memory/3992-39-0x0000000000000000-mapping.dmp