Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30/08/2021, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe
Resource
win10v20210408
buranraccoonredlinesmokeloaderd02c5d65069fc7ce1993e7c52edf0c9c4c195c81nnbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe
-
Size
212KB
-
MD5
260d911257b6a2f73bb75a0c313122be
-
SHA1
4552ad346174036a2dd3c456f41de12a51df14ce
-
SHA256
0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60
-
SHA512
d115db2eb8fad7ab10bd341a71b4df29447587822badec86de23d3c61480123116712eaffba8929410493d513b6f27fcdaede0ef139bdc58fa77ab8d1b2ec407
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 590$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: 1FE-174-AA4
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
Attributes
-
url4cnc
https://telete.in/open3entershift
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
nn
C2
135.181.49.56:47634
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral1/memory/3968-206-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/3968-209-0x000000000041C5C6-mapping.dmp family_redline behavioral1/memory/3968-237-0x0000000009140000-0x0000000009746000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 5104 created 1188 5104 WerFault.exe 82 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x00020000000155fe-166.dat Nirsoft behavioral1/files/0x00020000000155fe-168.dat Nirsoft behavioral1/files/0x00020000000155fe-172.dat Nirsoft -
Executes dropped EXE 11 IoCs
pid Process 2340 B0D7.exe 3148 B25F.exe 1188 B369.exe 3892 B55E.exe 1716 BAFD.exe 3596 AdvancedRun.exe 2232 AdvancedRun.exe 2088 lsass.exe 4244 lsass.exe 4688 ucubvcr 4936 ucubvcr -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B0D7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B0D7.exe -
Deletes itself 1 IoCs
pid Process 3028 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 1188 B369.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000400000001ab2b-119.dat themida behavioral1/files/0x000400000001ab2b-120.dat themida behavioral1/memory/2340-133-0x00000000010F0000-0x00000000010F1000-memory.dmp themida -
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features B25F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" B25F.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths B25F.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions B25F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\B25F.exe = "0" B25F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" B25F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" B25F.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection B25F.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet B25F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" B25F.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run B55E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" B55E.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B25F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B25F.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B0D7.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\G: lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 geoiptool.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2340 B0D7.exe 1716 BAFD.exe 1716 BAFD.exe 1716 BAFD.exe 1716 BAFD.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4016 set thread context of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 3148 set thread context of 3968 3148 B25F.exe 104 PID 4688 set thread context of 4936 4688 ucubvcr 138 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-modules.xml.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat lsass.exe File opened for modification C:\Program Files\FindStart.aif lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar lsass.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\tzdb.dat lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\tzmappings lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar lsass.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.payfast.1FE-174-AA4 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.payfast.1FE-174-AA4 lsass.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
pid pid_target Process procid_target 3616 1188 WerFault.exe 82 4124 1188 WerFault.exe 82 4280 1188 WerFault.exe 82 4352 1188 WerFault.exe 82 4452 1188 WerFault.exe 82 4604 1188 WerFault.exe 82 4740 1188 WerFault.exe 82 4872 1188 WerFault.exe 82 5092 1188 WerFault.exe 82 4452 1188 WerFault.exe 82 4912 1188 WerFault.exe 82 4292 1188 WerFault.exe 82 4796 1188 WerFault.exe 82 5104 1188 WerFault.exe 82 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ucubvcr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ucubvcr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ucubvcr -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4980 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 B55E.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e B55E.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4004 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 4004 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 Process not Found -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 4004 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4936 ucubvcr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeDebugPrivilege 3596 AdvancedRun.exe Token: SeImpersonatePrivilege 3596 AdvancedRun.exe Token: SeDebugPrivilege 2232 AdvancedRun.exe Token: SeImpersonatePrivilege 2232 AdvancedRun.exe Token: SeRestorePrivilege 3616 WerFault.exe Token: SeBackupPrivilege 3616 WerFault.exe Token: SeBackupPrivilege 3616 WerFault.exe Token: SeDebugPrivilege 3148 B25F.exe Token: SeDebugPrivilege 3616 WerFault.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 4124 WerFault.exe Token: SeDebugPrivilege 1716 BAFD.exe Token: SeDebugPrivilege 2340 B0D7.exe Token: SeDebugPrivilege 4280 WerFault.exe Token: SeDebugPrivilege 4352 WerFault.exe Token: SeDebugPrivilege 4452 WerFault.exe Token: SeDebugPrivilege 4604 WerFault.exe Token: SeDebugPrivilege 3968 vbc.exe Token: SeDebugPrivilege 4740 WerFault.exe Token: SeDebugPrivilege 4872 WerFault.exe Token: SeDebugPrivilege 5092 WerFault.exe Token: SeDebugPrivilege 4452 WerFault.exe Token: SeDebugPrivilege 4912 WerFault.exe Token: SeIncreaseQuotaPrivilege 4948 WMIC.exe Token: SeSecurityPrivilege 4948 WMIC.exe Token: SeTakeOwnershipPrivilege 4948 WMIC.exe Token: SeLoadDriverPrivilege 4948 WMIC.exe Token: SeSystemProfilePrivilege 4948 WMIC.exe Token: SeSystemtimePrivilege 4948 WMIC.exe Token: SeProfSingleProcessPrivilege 4948 WMIC.exe Token: SeIncBasePriorityPrivilege 4948 WMIC.exe Token: SeCreatePagefilePrivilege 4948 WMIC.exe Token: SeBackupPrivilege 4948 WMIC.exe Token: SeRestorePrivilege 4948 WMIC.exe Token: SeShutdownPrivilege 4948 WMIC.exe Token: SeDebugPrivilege 4948 WMIC.exe Token: SeSystemEnvironmentPrivilege 4948 WMIC.exe Token: SeRemoteShutdownPrivilege 4948 WMIC.exe Token: SeUndockPrivilege 4948 WMIC.exe Token: SeManageVolumePrivilege 4948 WMIC.exe Token: 33 4948 WMIC.exe Token: 34 4948 WMIC.exe Token: 35 4948 WMIC.exe Token: 36 4948 WMIC.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1716 BAFD.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3028 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 4016 wrote to memory of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 4016 wrote to memory of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 4016 wrote to memory of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 4016 wrote to memory of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 4016 wrote to memory of 4004 4016 0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe 77 PID 3028 wrote to memory of 2340 3028 Process not Found 79 PID 3028 wrote to memory of 2340 3028 Process not Found 79 PID 3028 wrote to memory of 2340 3028 Process not Found 79 PID 3028 wrote to memory of 3148 3028 Process not Found 81 PID 3028 wrote to memory of 3148 3028 Process not Found 81 PID 3028 wrote to memory of 3148 3028 Process not Found 81 PID 3028 wrote to memory of 1188 3028 Process not Found 82 PID 3028 wrote to memory of 1188 3028 Process not Found 82 PID 3028 wrote to memory of 1188 3028 Process not Found 82 PID 3028 wrote to memory of 3892 3028 Process not Found 83 PID 3028 wrote to memory of 3892 3028 Process not Found 83 PID 3028 wrote to memory of 3892 3028 Process not Found 83 PID 3028 wrote to memory of 1716 3028 Process not Found 84 PID 3028 wrote to memory of 1716 3028 Process not Found 84 PID 3028 wrote to memory of 1716 3028 Process not Found 84 PID 3028 wrote to memory of 1220 3028 Process not Found 86 PID 3028 wrote to memory of 1220 3028 Process not Found 86 PID 3028 wrote to memory of 1220 3028 Process not Found 86 PID 3028 wrote to memory of 1220 3028 Process not Found 86 PID 3028 wrote to memory of 696 3028 Process not Found 87 PID 3028 wrote to memory of 696 3028 Process not Found 87 PID 3028 wrote to memory of 696 3028 Process not Found 87 PID 3148 wrote to memory of 3596 3148 B25F.exe 88 PID 3148 wrote to memory of 3596 3148 B25F.exe 88 PID 3148 wrote to memory of 3596 3148 B25F.exe 88 PID 3028 wrote to memory of 648 3028 Process not Found 89 PID 3028 wrote to memory of 648 3028 Process not Found 89 PID 3028 wrote to memory of 648 3028 Process not Found 89 PID 3028 wrote to memory of 648 3028 Process not Found 89 PID 3596 wrote to memory of 2232 3596 AdvancedRun.exe 90 PID 3596 wrote to memory of 2232 3596 AdvancedRun.exe 90 PID 3596 wrote to memory of 2232 3596 AdvancedRun.exe 90 PID 3028 wrote to memory of 3440 3028 Process not Found 92 PID 3028 wrote to memory of 3440 3028 Process not Found 92 PID 3028 wrote to memory of 3440 3028 Process not Found 92 PID 3028 wrote to memory of 2176 3028 Process not Found 93 PID 3028 wrote to memory of 2176 3028 Process not Found 93 PID 3028 wrote to memory of 2176 3028 Process not Found 93 PID 3028 wrote to memory of 2176 3028 Process not Found 93 PID 3892 wrote to memory of 2088 3892 B55E.exe 94 PID 3892 wrote to memory of 2088 3892 B55E.exe 94 PID 3892 wrote to memory of 2088 3892 B55E.exe 94 PID 3028 wrote to memory of 3768 3028 Process not Found 95 PID 3028 wrote to memory of 3768 3028 Process not Found 95 PID 3028 wrote to memory of 3768 3028 Process not Found 95 PID 3028 wrote to memory of 512 3028 Process not Found 96 PID 3028 wrote to memory of 512 3028 Process not Found 96 PID 3028 wrote to memory of 512 3028 Process not Found 96 PID 3028 wrote to memory of 512 3028 Process not Found 96 PID 3148 wrote to memory of 2332 3148 B25F.exe 102 PID 3148 wrote to memory of 2332 3148 B25F.exe 102 PID 3148 wrote to memory of 2332 3148 B25F.exe 102 PID 3148 wrote to memory of 1868 3148 B25F.exe 98 PID 3148 wrote to memory of 1868 3148 B25F.exe 98 PID 3148 wrote to memory of 1868 3148 B25F.exe 98 PID 3148 wrote to memory of 696 3148 B25F.exe 103 PID 3148 wrote to memory of 696 3148 B25F.exe 103 PID 3148 wrote to memory of 696 3148 B25F.exe 103 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B25F.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe"C:\Users\Admin\AppData\Local\Temp\0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe"C:\Users\Admin\AppData\Local\Temp\0fb54b60f21f099e233fa5c1b79a2ee75e7a5577aea5436288cd89fa57539c60.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4004
-
-
C:\Users\Admin\AppData\Local\Temp\B0D7.exeC:\Users\Admin\AppData\Local\Temp\B0D7.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
C:\Users\Admin\AppData\Local\Temp\B25F.exeC:\Users\Admin\AppData\Local\Temp\B25F.exe1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\74098be0-3de1-4472-bb8b-2585f58e358a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\74098be0-3de1-4472-bb8b-2585f58e358a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\74098be0-3de1-4472-bb8b-2585f58e358a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\74098be0-3de1-4472-bb8b-2585f58e358a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\74098be0-3de1-4472-bb8b-2585f58e358a\AdvancedRun.exe" /SpecialRun 4101d8 35963⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\B25F.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\B25F.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe2⤵PID:696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\B369.exeC:\Users\Admin\AppData\Local\Temp\B369.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 7362⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 8482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 8922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 11882⤵
- Program crash
PID:4452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 13082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 13122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 12122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 13242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 14122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 12122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 13282⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 12842⤵
- Program crash
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 12682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\B55E.exeC:\Users\Admin\AppData\Local\Temp\B55E.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:5044
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:5108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:4136
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4980
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:1116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:5076
-
-
-
C:\Users\Admin\AppData\Local\Temp\BAFD.exeC:\Users\Admin\AppData\Local\Temp\BAFD.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1220
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:696
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:648
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3440
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2176
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3768
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:512
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2292
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4168
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4492
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4252
-
C:\Users\Admin\AppData\Roaming\ucubvcrC:\Users\Admin\AppData\Roaming\ucubvcr1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4688 -
C:\Users\Admin\AppData\Roaming\ucubvcrC:\Users\Admin\AppData\Roaming\ucubvcr2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4936
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
4File Deletion
2Install Root Certificate
1Modify Registry
7Scripting
1Virtualization/Sandbox Evasion
1Web Service
1