Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-08-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe
Resource
win10v20210408
buranraccoonredlinesmokeloader20d9c80657d1d0fda9625cbd629ba419b8a34404d02c5d65069fc7ce1993e7c52edf0c9c4c195c81word1backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe
-
Size
143KB
-
MD5
e162867094fe391d1fd2f61c32bf9913
-
SHA1
1fcfbec61c0d4c0f45928ec05c7a9eda9dcb92ea
-
SHA256
b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe
-
SHA512
be666aa8b36f7b3cbc8faf4ba1e908a15fc5c3241ffb82bab35003f8daef8799d5b1d0dad67af1909cdc715ca59527b3940ddde4a5886ce860917f6941ceb212
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 500$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: 9DD-204-150
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
WORD1
C2
94.26.249.88:1902
Extracted
Family
raccoon
Botnet
20d9c80657d1d0fda9625cbd629ba419b8a34404
Attributes
-
url4cnc
https://telete.in/hfuimoneymake
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
Attributes
-
url4cnc
https://telete.in/open3entershift
rc4.plain
rc4.plain
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral1/memory/1568-142-0x000000000041A68E-mapping.dmp family_redline behavioral1/memory/1568-141-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1568-151-0x0000000005400000-0x0000000005A06000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 4484 created 852 4484 WerFault.exe 79 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 852 E6BC.exe 364 E798.exe 1148 ED84.exe 3104 FBBE.exe 2840 FF0B.exe 3160 6CC.exe 4664 csrss.exe 1512 csrss.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ED84.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FBBE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FBBE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ED84.exe -
Deletes itself 1 IoCs
pid Process 2900 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 852 E6BC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000200000001ab40-127.dat themida behavioral1/files/0x000200000001ab40-128.dat themida behavioral1/memory/1148-131-0x0000000000D30000-0x0000000000D31000-memory.dmp themida behavioral1/files/0x000200000001ab42-146.dat themida behavioral1/files/0x000200000001ab42-153.dat themida behavioral1/memory/3104-226-0x0000000000AF0000-0x0000000000AF1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" FF0B.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run FF0B.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ED84.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FBBE.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\F: csrss.exe File opened (read-only) \??\B: csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 geoiptool.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1148 ED84.exe 3104 FBBE.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4796 set thread context of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 364 set thread context of 1568 364 E798.exe 83 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginReport.Dotx.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.payfast290.9DD-204-150 csrss.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_de.properties csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms csrss.exe File opened for modification C:\Program Files\ConvertToRevoke.m1v.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\PushDeny.i64 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELM.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.ELM csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.payfast290.9DD-204-150 csrss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar csrss.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms csrss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.payfast290.9DD-204-150 csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
pid pid_target Process procid_target 1816 852 WerFault.exe 79 4768 852 WerFault.exe 79 936 852 WerFault.exe 79 2076 852 WerFault.exe 79 1520 852 WerFault.exe 79 2260 852 WerFault.exe 79 4160 852 WerFault.exe 79 4192 852 WerFault.exe 79 3732 852 WerFault.exe 79 4848 852 WerFault.exe 79 3444 852 WerFault.exe 79 508 852 WerFault.exe 79 5040 852 WerFault.exe 79 4484 852 WerFault.exe 79 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4576 vssadmin.exe 2072 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4216 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 4216 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2900 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 4216 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found 2900 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeDebugPrivilege 364 E798.exe Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeRestorePrivilege 1816 WerFault.exe Token: SeBackupPrivilege 1816 WerFault.exe Token: SeDebugPrivilege 1148 ED84.exe Token: SeDebugPrivilege 1816 WerFault.exe Token: SeDebugPrivilege 4768 WerFault.exe Token: SeDebugPrivilege 936 WerFault.exe Token: SeDebugPrivilege 2840 FF0B.exe Token: SeDebugPrivilege 2840 FF0B.exe Token: SeDebugPrivilege 2076 WerFault.exe Token: SeDebugPrivilege 1520 WerFault.exe Token: SeDebugPrivilege 2260 WerFault.exe Token: SeDebugPrivilege 4160 WerFault.exe Token: SeDebugPrivilege 4192 WerFault.exe Token: SeDebugPrivilege 3732 WerFault.exe Token: SeDebugPrivilege 4848 WerFault.exe Token: SeDebugPrivilege 3444 WerFault.exe Token: SeDebugPrivilege 508 WerFault.exe Token: SeDebugPrivilege 5040 WerFault.exe Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: 36 1940 WMIC.exe Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeDebugPrivilege 4484 WerFault.exe Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found Token: SeCreatePagefilePrivilege 2900 Process not Found Token: SeShutdownPrivilege 2900 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2900 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 4796 wrote to memory of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 4796 wrote to memory of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 4796 wrote to memory of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 4796 wrote to memory of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 4796 wrote to memory of 4216 4796 b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe 77 PID 2900 wrote to memory of 852 2900 Process not Found 79 PID 2900 wrote to memory of 852 2900 Process not Found 79 PID 2900 wrote to memory of 852 2900 Process not Found 79 PID 2900 wrote to memory of 364 2900 Process not Found 80 PID 2900 wrote to memory of 364 2900 Process not Found 80 PID 2900 wrote to memory of 364 2900 Process not Found 80 PID 2900 wrote to memory of 1148 2900 Process not Found 81 PID 2900 wrote to memory of 1148 2900 Process not Found 81 PID 2900 wrote to memory of 1148 2900 Process not Found 81 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 364 wrote to memory of 1568 364 E798.exe 83 PID 2900 wrote to memory of 3104 2900 Process not Found 85 PID 2900 wrote to memory of 3104 2900 Process not Found 85 PID 2900 wrote to memory of 3104 2900 Process not Found 85 PID 2900 wrote to memory of 2840 2900 Process not Found 87 PID 2900 wrote to memory of 2840 2900 Process not Found 87 PID 2900 wrote to memory of 2840 2900 Process not Found 87 PID 2900 wrote to memory of 3160 2900 Process not Found 88 PID 2900 wrote to memory of 3160 2900 Process not Found 88 PID 2900 wrote to memory of 3160 2900 Process not Found 88 PID 2900 wrote to memory of 4488 2900 Process not Found 89 PID 2900 wrote to memory of 4488 2900 Process not Found 89 PID 2900 wrote to memory of 4488 2900 Process not Found 89 PID 2900 wrote to memory of 4488 2900 Process not Found 89 PID 2900 wrote to memory of 3836 2900 Process not Found 90 PID 2900 wrote to memory of 3836 2900 Process not Found 90 PID 2900 wrote to memory of 3836 2900 Process not Found 90 PID 2900 wrote to memory of 4552 2900 Process not Found 92 PID 2900 wrote to memory of 4552 2900 Process not Found 92 PID 2900 wrote to memory of 4552 2900 Process not Found 92 PID 2900 wrote to memory of 4552 2900 Process not Found 92 PID 2900 wrote to memory of 4600 2900 Process not Found 94 PID 2900 wrote to memory of 4600 2900 Process not Found 94 PID 2900 wrote to memory of 4600 2900 Process not Found 94 PID 2900 wrote to memory of 4748 2900 Process not Found 95 PID 2900 wrote to memory of 4748 2900 Process not Found 95 PID 2900 wrote to memory of 4748 2900 Process not Found 95 PID 2900 wrote to memory of 4748 2900 Process not Found 95 PID 2900 wrote to memory of 188 2900 Process not Found 97 PID 2900 wrote to memory of 188 2900 Process not Found 97 PID 2900 wrote to memory of 188 2900 Process not Found 97 PID 2900 wrote to memory of 2188 2900 Process not Found 99 PID 2900 wrote to memory of 2188 2900 Process not Found 99 PID 2900 wrote to memory of 2188 2900 Process not Found 99 PID 2900 wrote to memory of 2188 2900 Process not Found 99 PID 2840 wrote to memory of 4664 2840 FF0B.exe 101 PID 2840 wrote to memory of 4664 2840 FF0B.exe 101 PID 2840 wrote to memory of 4664 2840 FF0B.exe 101 PID 2840 wrote to memory of 4668 2840 FF0B.exe 100 PID 2840 wrote to memory of 4668 2840 FF0B.exe 100 PID 2840 wrote to memory of 4668 2840 FF0B.exe 100 PID 2840 wrote to memory of 4668 2840 FF0B.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe"C:\Users\Admin\AppData\Local\Temp\b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe"C:\Users\Admin\AppData\Local\Temp\b5833925165ca938c5003d9570245b401e9ce55e0d421bebf84c1ecbb49ebffe.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\E6BC.exeC:\Users\Admin\AppData\Local\Temp\E6BC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 7362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 7722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 8962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 11762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 12162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 12442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 11442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 13362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 14082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 12802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 14162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 13882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\E798.exeC:\Users\Admin\AppData\Local\Temp\E798.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\ED84.exeC:\Users\Admin\AppData\Local\Temp\ED84.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
C:\Users\Admin\AppData\Local\Temp\FBBE.exeC:\Users\Admin\AppData\Local\Temp\FBBE.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3104
-
C:\Users\Admin\AppData\Local\Temp\FF0B.exeC:\Users\Admin\AppData\Local\Temp\FF0B.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵PID:4668
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:4184
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:5044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:4884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:1672
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵PID:1152
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:648
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2072
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1512
-
-
-
C:\Users\Admin\AppData\Local\Temp\6CC.exeC:\Users\Admin\AppData\Local\Temp\6CC.exe1⤵
- Executes dropped EXE
PID:3160
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4488
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3836
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4552
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4600
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4748
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:188
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2188
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3340
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1660