Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29/08/2021, 02:28
Static task
static1
Behavioral task
behavioral1
Sample
b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe
Resource
win10v20210408
buranraccoonredlinesmokeloaderd02c5d65069fc7ce1993e7c52edf0c9c4c195c81nnbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe
-
Size
142KB
-
MD5
88d7e4d97668f06068ec238fabc59d82
-
SHA1
c5ded1e34d8b1aaa62d8fcc45f245ebe3922baed
-
SHA256
b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483
-
SHA512
0629a9226af34f4f0c573a92cf567952c46acd6b707e0c576189ac96999d7ca24c00e0d19e428672566aa4dc72778c1d39053b296d6441946db4c646d6728f68
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 500$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: 3AB-4F6-103
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
nn
C2
135.181.49.56:47634
Extracted
Family
raccoon
Botnet
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
Attributes
-
url4cnc
https://telete.in/open3entershift
rc4.plain
rc4.plain
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2316-184-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2316-187-0x000000000041C5C6-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2852 created 1496 2852 WerFault.exe 85 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x00030000000155ab-157.dat Nirsoft behavioral1/files/0x00030000000155ab-161.dat Nirsoft behavioral1/files/0x00030000000155ab-164.dat Nirsoft -
Executes dropped EXE 9 IoCs
pid Process 2168 EB6F.exe 4044 F217.exe 4092 F41C.exe 3916 F71A.exe 1496 FA48.exe 2848 AdvancedRun.exe 1420 AdvancedRun.exe 3240 services.exe 4976 services.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EB6F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EB6F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F217.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F217.exe -
Deletes itself 1 IoCs
pid Process 2988 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 1496 FA48.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000400000001ab24-119.dat themida behavioral1/files/0x000400000001ab24-120.dat themida behavioral1/files/0x000200000001ab25-124.dat themida behavioral1/files/0x000200000001ab25-125.dat themida behavioral1/memory/2168-126-0x0000000000850000-0x0000000000851000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths F41C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\F41C.exe = "0" F41C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection F41C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features F41C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" F41C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" F41C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions F41C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" F41C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet F41C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" F41C.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run F71A.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" F71A.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EB6F.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F41C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" F41C.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F217.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\R: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 geoiptool.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2168 EB6F.exe 4044 F217.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 568 set thread context of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 4092 set thread context of 2316 4092 F41C.exe 103 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties services.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config services.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\PREVIEW.GIF.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.payfast290.3AB-4F6-103 services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.payfast290.3AB-4F6-103 services.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
pid pid_target Process procid_target 4236 1496 WerFault.exe 85 4352 1496 WerFault.exe 85 4500 1496 WerFault.exe 85 4572 1496 WerFault.exe 85 4700 1496 WerFault.exe 85 4440 1496 WerFault.exe 85 3724 1496 WerFault.exe 85 4992 1496 WerFault.exe 85 4680 1496 WerFault.exe 85 4428 1496 WerFault.exe 85 1732 1496 WerFault.exe 85 1268 1496 WerFault.exe 85 5060 1496 WerFault.exe 85 2852 1496 WerFault.exe 85 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1080 vssadmin.exe 4196 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 F71A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e F71A.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3144 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 3144 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2988 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 3144 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found 2988 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeDebugPrivilege 2848 AdvancedRun.exe Token: SeImpersonatePrivilege 2848 AdvancedRun.exe Token: SeDebugPrivilege 1420 AdvancedRun.exe Token: SeImpersonatePrivilege 1420 AdvancedRun.exe Token: SeDebugPrivilege 3916 F71A.exe Token: SeDebugPrivilege 3916 F71A.exe Token: SeDebugPrivilege 4092 F41C.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2168 EB6F.exe Token: SeDebugPrivilege 2316 MSBuild.exe Token: SeRestorePrivilege 4236 WerFault.exe Token: SeBackupPrivilege 4236 WerFault.exe Token: SeBackupPrivilege 4236 WerFault.exe Token: SeDebugPrivilege 4236 WerFault.exe Token: SeDebugPrivilege 4352 WerFault.exe Token: SeDebugPrivilege 4500 WerFault.exe Token: SeDebugPrivilege 4572 WerFault.exe Token: SeDebugPrivilege 4700 WerFault.exe Token: SeDebugPrivilege 4440 WerFault.exe Token: SeIncreaseQuotaPrivilege 3084 WMIC.exe Token: SeSecurityPrivilege 3084 WMIC.exe Token: SeTakeOwnershipPrivilege 3084 WMIC.exe Token: SeLoadDriverPrivilege 3084 WMIC.exe Token: SeSystemProfilePrivilege 3084 WMIC.exe Token: SeSystemtimePrivilege 3084 WMIC.exe Token: SeProfSingleProcessPrivilege 3084 WMIC.exe Token: SeIncBasePriorityPrivilege 3084 WMIC.exe Token: SeCreatePagefilePrivilege 3084 WMIC.exe Token: SeBackupPrivilege 3084 WMIC.exe Token: SeRestorePrivilege 3084 WMIC.exe Token: SeShutdownPrivilege 3084 WMIC.exe Token: SeDebugPrivilege 3084 WMIC.exe Token: SeSystemEnvironmentPrivilege 3084 WMIC.exe Token: SeRemoteShutdownPrivilege 3084 WMIC.exe Token: SeUndockPrivilege 3084 WMIC.exe Token: SeManageVolumePrivilege 3084 WMIC.exe Token: 33 3084 WMIC.exe Token: 34 3084 WMIC.exe Token: 35 3084 WMIC.exe Token: 36 3084 WMIC.exe Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeShutdownPrivilege 2988 Process not Found Token: SeCreatePagefilePrivilege 2988 Process not Found Token: SeDebugPrivilege 3724 WerFault.exe Token: SeBackupPrivilege 4684 vssvc.exe Token: SeRestorePrivilege 4684 vssvc.exe Token: SeAuditPrivilege 4684 vssvc.exe Token: SeIncreaseQuotaPrivilege 3084 WMIC.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2988 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 568 wrote to memory of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 568 wrote to memory of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 568 wrote to memory of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 568 wrote to memory of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 568 wrote to memory of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 568 wrote to memory of 3144 568 b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe 77 PID 2988 wrote to memory of 2168 2988 Process not Found 79 PID 2988 wrote to memory of 2168 2988 Process not Found 79 PID 2988 wrote to memory of 2168 2988 Process not Found 79 PID 2988 wrote to memory of 4044 2988 Process not Found 81 PID 2988 wrote to memory of 4044 2988 Process not Found 81 PID 2988 wrote to memory of 4044 2988 Process not Found 81 PID 2988 wrote to memory of 4092 2988 Process not Found 83 PID 2988 wrote to memory of 4092 2988 Process not Found 83 PID 2988 wrote to memory of 4092 2988 Process not Found 83 PID 2988 wrote to memory of 3916 2988 Process not Found 84 PID 2988 wrote to memory of 3916 2988 Process not Found 84 PID 2988 wrote to memory of 3916 2988 Process not Found 84 PID 2988 wrote to memory of 1496 2988 Process not Found 85 PID 2988 wrote to memory of 1496 2988 Process not Found 85 PID 2988 wrote to memory of 1496 2988 Process not Found 85 PID 2988 wrote to memory of 2312 2988 Process not Found 86 PID 2988 wrote to memory of 2312 2988 Process not Found 86 PID 2988 wrote to memory of 2312 2988 Process not Found 86 PID 2988 wrote to memory of 2312 2988 Process not Found 86 PID 2988 wrote to memory of 2432 2988 Process not Found 100 PID 2988 wrote to memory of 2432 2988 Process not Found 100 PID 2988 wrote to memory of 2432 2988 Process not Found 100 PID 4092 wrote to memory of 2848 4092 F41C.exe 88 PID 4092 wrote to memory of 2848 4092 F41C.exe 88 PID 4092 wrote to memory of 2848 4092 F41C.exe 88 PID 2988 wrote to memory of 3496 2988 Process not Found 89 PID 2988 wrote to memory of 3496 2988 Process not Found 89 PID 2988 wrote to memory of 3496 2988 Process not Found 89 PID 2988 wrote to memory of 3496 2988 Process not Found 89 PID 2848 wrote to memory of 1420 2848 AdvancedRun.exe 90 PID 2848 wrote to memory of 1420 2848 AdvancedRun.exe 90 PID 2848 wrote to memory of 1420 2848 AdvancedRun.exe 90 PID 2988 wrote to memory of 3236 2988 Process not Found 92 PID 2988 wrote to memory of 3236 2988 Process not Found 92 PID 2988 wrote to memory of 3236 2988 Process not Found 92 PID 2988 wrote to memory of 3352 2988 Process not Found 93 PID 2988 wrote to memory of 3352 2988 Process not Found 93 PID 2988 wrote to memory of 3352 2988 Process not Found 93 PID 2988 wrote to memory of 3352 2988 Process not Found 93 PID 2988 wrote to memory of 3924 2988 Process not Found 94 PID 2988 wrote to memory of 3924 2988 Process not Found 94 PID 2988 wrote to memory of 3924 2988 Process not Found 94 PID 2988 wrote to memory of 3852 2988 Process not Found 95 PID 2988 wrote to memory of 3852 2988 Process not Found 95 PID 2988 wrote to memory of 3852 2988 Process not Found 95 PID 2988 wrote to memory of 3852 2988 Process not Found 95 PID 4092 wrote to memory of 2264 4092 F41C.exe 96 PID 4092 wrote to memory of 2264 4092 F41C.exe 96 PID 4092 wrote to memory of 2264 4092 F41C.exe 96 PID 4092 wrote to memory of 2816 4092 F41C.exe 98 PID 4092 wrote to memory of 2816 4092 F41C.exe 98 PID 4092 wrote to memory of 2816 4092 F41C.exe 98 PID 3916 wrote to memory of 3240 3916 F71A.exe 99 PID 3916 wrote to memory of 3240 3916 F71A.exe 99 PID 3916 wrote to memory of 3240 3916 F71A.exe 99 PID 2988 wrote to memory of 2432 2988 Process not Found 100 PID 2988 wrote to memory of 2432 2988 Process not Found 100 PID 2988 wrote to memory of 2432 2988 Process not Found 100 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" F41C.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe"C:\Users\Admin\AppData\Local\Temp\b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe"C:\Users\Admin\AppData\Local\Temp\b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3144
-
-
C:\Users\Admin\AppData\Local\Temp\EB6F.exeC:\Users\Admin\AppData\Local\Temp\EB6F.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Users\Admin\AppData\Local\Temp\F217.exeC:\Users\Admin\AppData\Local\Temp\F217.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4044
-
C:\Users\Admin\AppData\Local\Temp\F41C.exeC:\Users\Admin\AppData\Local\Temp\F41C.exe1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\e2be16ef-34b2-44f7-a44b-918cfb8aa910\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e2be16ef-34b2-44f7-a44b-918cfb8aa910\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e2be16ef-34b2-44f7-a44b-918cfb8aa910\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\e2be16ef-34b2-44f7-a44b-918cfb8aa910\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e2be16ef-34b2-44f7-a44b-918cfb8aa910\AdvancedRun.exe" /SpecialRun 4101d8 28483⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F41C.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F41C.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\F71A.exeC:\Users\Admin\AppData\Local\Temp\F71A.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:3240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:4760
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:4784
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:4804
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:4852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:4896
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1080
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵PID:4932
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:3340
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4196
-
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\FA48.exeC:\Users\Admin\AppData\Local\Temp\FA48.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 7362⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 7522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 7882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 8962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 11802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 12362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 12242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 12442⤵
- Program crash
PID:4992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 11642⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 6722⤵
- Program crash
PID:4428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 8322⤵
- Program crash
PID:1732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 11642⤵
- Program crash
PID:1268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 12242⤵
- Program crash
PID:5060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 13202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2852
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2312
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2432
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3496
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3236
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3352
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3924
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3852
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2432
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:8
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
4File Deletion
2Install Root Certificate
1Modify Registry
7Virtualization/Sandbox Evasion
1Web Service
1