Analysis
-
max time kernel
157s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-08-2021 05:25
Static task
static1
Behavioral task
behavioral1
Sample
df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe
Resource
win10v20210408
buranraccoonredlinesmokeloaderd02c5d65069fc7ce1993e7c52edf0c9c4c195c81nnbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe
-
Size
142KB
-
MD5
f2d3cd5cd679fc9dd8e339449406abf1
-
SHA1
783c5df2051f8cc5b9817d44d0c792ccd5286710
-
SHA256
df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90
-
SHA512
401b8681a14e158e184a8de8fa9e9710d7c4a1d2358ef5efe6bfb3f1052877120a896946b782abb4938ecd62f6503367e5d603387dd8c436e6f1eb392c001db4
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 500$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: 271-848-962
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
Attributes
-
url4cnc
https://telete.in/open3entershift
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
nn
C2
135.181.49.56:47634
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral1/memory/3932-214-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/3932-215-0x000000000041C5C6-mapping.dmp family_redline behavioral1/memory/3932-223-0x0000000004E40000-0x0000000005446000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 5020 created 1988 5020 WerFault.exe 85 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x00030000000155ab-170.dat Nirsoft behavioral1/files/0x00030000000155ab-174.dat Nirsoft behavioral1/files/0x00030000000155ab-176.dat Nirsoft -
Executes dropped EXE 11 IoCs
pid Process 2352 C569.exe 1496 CC20.exe 3144 CE44.exe 1288 D114.exe 1988 D328.exe 744 AdvancedRun.exe 3640 AdvancedRun.exe 1748 svchost.exe 4176 eshdsse 4904 svchost.exe 4420 eshdsse -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CC20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CC20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C569.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C569.exe -
Deletes itself 1 IoCs
pid Process 3000 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 1988 D328.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000400000001ab1e-119.dat themida behavioral1/files/0x000400000001ab1e-120.dat themida behavioral1/files/0x000200000001ab1f-123.dat themida behavioral1/files/0x000200000001ab1f-124.dat themida behavioral1/memory/2352-129-0x0000000000D90000-0x0000000000D91000-memory.dmp themida behavioral1/memory/1496-135-0x0000000000180000-0x0000000000181000-memory.dmp themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\CE44.exe = "0" CE44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" CE44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" CE44.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features CE44.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths CE44.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions CE44.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection CE44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" CE44.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet CE44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" CE44.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" D114.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run D114.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C569.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CC20.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CE44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CE44.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\V: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 geoiptool.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2352 C569.exe 1496 CC20.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3920 set thread context of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3144 set thread context of 3932 3144 CE44.exe 106 PID 4176 set thread context of 4420 4176 eshdsse 141 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.payfast290.271-848-962 svchost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms svchost.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.payfast290.271-848-962 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
pid pid_target Process procid_target 3920 1988 WerFault.exe 85 1768 1988 WerFault.exe 85 4156 1988 WerFault.exe 85 4204 1988 WerFault.exe 85 4260 1988 WerFault.exe 85 4328 1988 WerFault.exe 85 4416 1988 WerFault.exe 85 4564 1988 WerFault.exe 85 4664 1988 WerFault.exe 85 5084 1988 WerFault.exe 85 4248 1988 WerFault.exe 85 4584 1988 WerFault.exe 85 4664 1988 WerFault.exe 85 5020 1988 WerFault.exe 85 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eshdsse Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eshdsse Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eshdsse Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4128 vssadmin.exe 4668 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 D114.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e D114.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2152 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 2152 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3000 Process not Found -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 2152 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 4420 eshdsse -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeDebugPrivilege 744 AdvancedRun.exe Token: SeImpersonatePrivilege 744 AdvancedRun.exe Token: SeDebugPrivilege 3640 AdvancedRun.exe Token: SeImpersonatePrivilege 3640 AdvancedRun.exe Token: SeDebugPrivilege 1288 D114.exe Token: SeDebugPrivilege 1288 D114.exe Token: SeRestorePrivilege 3920 WerFault.exe Token: SeBackupPrivilege 3920 WerFault.exe Token: SeBackupPrivilege 3920 WerFault.exe Token: SeDebugPrivilege 3144 CE44.exe Token: SeDebugPrivilege 3920 WerFault.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 1768 WerFault.exe Token: SeDebugPrivilege 4156 WerFault.exe Token: SeDebugPrivilege 4204 WerFault.exe Token: SeDebugPrivilege 4260 WerFault.exe Token: SeDebugPrivilege 4328 WerFault.exe Token: SeDebugPrivilege 2352 C569.exe Token: SeDebugPrivilege 1496 CC20.exe Token: SeDebugPrivilege 4416 WerFault.exe Token: SeDebugPrivilege 3932 ngentask.exe Token: SeDebugPrivilege 4564 WerFault.exe Token: SeDebugPrivilege 4664 WerFault.exe Token: SeDebugPrivilege 5084 WerFault.exe Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeShutdownPrivilege 3000 Process not Found Token: SeCreatePagefilePrivilege 3000 Process not Found Token: SeIncreaseQuotaPrivilege 2776 WMIC.exe Token: SeSecurityPrivilege 2776 WMIC.exe Token: SeTakeOwnershipPrivilege 2776 WMIC.exe Token: SeLoadDriverPrivilege 2776 WMIC.exe Token: SeSystemProfilePrivilege 2776 WMIC.exe Token: SeSystemtimePrivilege 2776 WMIC.exe Token: SeProfSingleProcessPrivilege 2776 WMIC.exe Token: SeIncBasePriorityPrivilege 2776 WMIC.exe Token: SeCreatePagefilePrivilege 2776 WMIC.exe Token: SeBackupPrivilege 2776 WMIC.exe Token: SeRestorePrivilege 2776 WMIC.exe Token: SeShutdownPrivilege 2776 WMIC.exe Token: SeDebugPrivilege 2776 WMIC.exe Token: SeSystemEnvironmentPrivilege 2776 WMIC.exe Token: SeRemoteShutdownPrivilege 2776 WMIC.exe Token: SeUndockPrivilege 2776 WMIC.exe Token: SeManageVolumePrivilege 2776 WMIC.exe Token: 33 2776 WMIC.exe Token: 34 2776 WMIC.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3000 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3920 wrote to memory of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3920 wrote to memory of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3920 wrote to memory of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3920 wrote to memory of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3920 wrote to memory of 2152 3920 df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe 77 PID 3000 wrote to memory of 2352 3000 Process not Found 79 PID 3000 wrote to memory of 2352 3000 Process not Found 79 PID 3000 wrote to memory of 2352 3000 Process not Found 79 PID 3000 wrote to memory of 1496 3000 Process not Found 81 PID 3000 wrote to memory of 1496 3000 Process not Found 81 PID 3000 wrote to memory of 1496 3000 Process not Found 81 PID 3000 wrote to memory of 3144 3000 Process not Found 83 PID 3000 wrote to memory of 3144 3000 Process not Found 83 PID 3000 wrote to memory of 3144 3000 Process not Found 83 PID 3000 wrote to memory of 1288 3000 Process not Found 84 PID 3000 wrote to memory of 1288 3000 Process not Found 84 PID 3000 wrote to memory of 1288 3000 Process not Found 84 PID 3000 wrote to memory of 1988 3000 Process not Found 85 PID 3000 wrote to memory of 1988 3000 Process not Found 85 PID 3000 wrote to memory of 1988 3000 Process not Found 85 PID 3000 wrote to memory of 2328 3000 Process not Found 86 PID 3000 wrote to memory of 2328 3000 Process not Found 86 PID 3000 wrote to memory of 2328 3000 Process not Found 86 PID 3000 wrote to memory of 2328 3000 Process not Found 86 PID 3000 wrote to memory of 1832 3000 Process not Found 87 PID 3000 wrote to memory of 1832 3000 Process not Found 87 PID 3000 wrote to memory of 1832 3000 Process not Found 87 PID 3000 wrote to memory of 2248 3000 Process not Found 88 PID 3000 wrote to memory of 2248 3000 Process not Found 88 PID 3000 wrote to memory of 2248 3000 Process not Found 88 PID 3000 wrote to memory of 2248 3000 Process not Found 88 PID 3144 wrote to memory of 744 3144 CE44.exe 89 PID 3144 wrote to memory of 744 3144 CE44.exe 89 PID 3144 wrote to memory of 744 3144 CE44.exe 89 PID 3000 wrote to memory of 200 3000 Process not Found 90 PID 3000 wrote to memory of 200 3000 Process not Found 90 PID 3000 wrote to memory of 200 3000 Process not Found 90 PID 744 wrote to memory of 3640 744 AdvancedRun.exe 91 PID 744 wrote to memory of 3640 744 AdvancedRun.exe 91 PID 744 wrote to memory of 3640 744 AdvancedRun.exe 91 PID 3000 wrote to memory of 3444 3000 Process not Found 93 PID 3000 wrote to memory of 3444 3000 Process not Found 93 PID 3000 wrote to memory of 3444 3000 Process not Found 93 PID 3000 wrote to memory of 3444 3000 Process not Found 93 PID 3000 wrote to memory of 3928 3000 Process not Found 94 PID 3000 wrote to memory of 3928 3000 Process not Found 94 PID 3000 wrote to memory of 3928 3000 Process not Found 94 PID 3000 wrote to memory of 1428 3000 Process not Found 95 PID 3000 wrote to memory of 1428 3000 Process not Found 95 PID 3000 wrote to memory of 1428 3000 Process not Found 95 PID 3000 wrote to memory of 1428 3000 Process not Found 95 PID 1288 wrote to memory of 1748 1288 D114.exe 98 PID 1288 wrote to memory of 1748 1288 D114.exe 98 PID 1288 wrote to memory of 1748 1288 D114.exe 98 PID 1288 wrote to memory of 3644 1288 D114.exe 99 PID 1288 wrote to memory of 3644 1288 D114.exe 99 PID 1288 wrote to memory of 3644 1288 D114.exe 99 PID 1288 wrote to memory of 3644 1288 D114.exe 99 PID 1288 wrote to memory of 3644 1288 D114.exe 99 PID 1288 wrote to memory of 3644 1288 D114.exe 99 PID 3000 wrote to memory of 2584 3000 Process not Found 100 PID 3000 wrote to memory of 2584 3000 Process not Found 100 PID 3000 wrote to memory of 2584 3000 Process not Found 100 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CE44.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe"C:\Users\Admin\AppData\Local\Temp\df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe"C:\Users\Admin\AppData\Local\Temp\df21b56dcc8d953c204f3fada671f0b7bc6a03fd53cfd19409ad36d4f00d8b90.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\C569.exeC:\Users\Admin\AppData\Local\Temp\C569.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
C:\Users\Admin\AppData\Local\Temp\CC20.exeC:\Users\Admin\AppData\Local\Temp\CC20.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
C:\Users\Admin\AppData\Local\Temp\CE44.exeC:\Users\Admin\AppData\Local\Temp\CE44.exe1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\27f3bbcd-877a-4608-80b2-a098046745f9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\27f3bbcd-877a-4608-80b2-a098046745f9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\27f3bbcd-877a-4608-80b2-a098046745f9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\27f3bbcd-877a-4608-80b2-a098046745f9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\27f3bbcd-877a-4608-80b2-a098046745f9\AdvancedRun.exe" /SpecialRun 4101d8 7443⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CE44.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CE44.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\D114.exeC:\Users\Admin\AppData\Local\Temp\D114.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:4692
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:4708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:4740
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:4828
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4128
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵PID:4864
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:4576
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:4772
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\D328.exeC:\Users\Admin\AppData\Local\Temp\D328.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 7362⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 7522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 7362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 11882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 12442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 12602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 12442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 12882⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 13642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 14362⤵
- Program crash
PID:4248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 14722⤵
- Program crash
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 14002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 14322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5020
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2328
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1832
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2248
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:200
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3444
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3928
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1428
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2584
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1544
-
C:\Users\Admin\AppData\Roaming\eshdsseC:\Users\Admin\AppData\Roaming\eshdsse1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4176 -
C:\Users\Admin\AppData\Roaming\eshdsseC:\Users\Admin\AppData\Roaming\eshdsse2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4420
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4280
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
4File Deletion
2Install Root Certificate
1Modify Registry
7Virtualization/Sandbox Evasion
1Web Service
1