blackcat | 65b331074f906c46057da085ffdd1d98b61632a3e996cd252d4548a5e4c6bb10

Resubmissions

29-12-2022 04:38

221229-e9sm5acd27 10

29-12-2022 04:35

10-11-2022 11:04

10-11-2022 11:03

10-11-2022 11:00

10-11-2022 10:58

Analysis

max time kernel
61s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Path

\??\Z:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=TvXmSn6GUE0IdjOhdbGl9hEQ0eSR%2FFYVn2r51o1%2FmXfNuYDNmOgngH47ClDD%2FQTtwpouJ%2FDJ2TS8zbJXgTCV%2BIycMnHIUnu2Y33Nkysf6Mj%2BgUcVM5BgwFlAlXRIHda9lpy%2FajTP6p20gcEHc0El%2Br52V9bj6kDC5hYfwOlLvsaf6IvA7nkOS6%2BW69o6ZZAmRt4o1eOGBspciK%2BLFnZTzFT946qBdkKZPVphcI%2F2B8F6%2FZ1PUzOjpuqebvP1iU7c1U4v9Tlg95mDM73NSFpee1TXyixRXGjqrKy%2BMhLR5OCdR27%2F%2BaBDQnz1GzK6zt2yTKGWZAkv9Z%2F9G2yITMTTaA%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=TvXmSn6GUE0IdjOhdbGl9hEQ0eSR%2FFYVn2r51o1%2FmXfNuYDNmOgngH47ClDD%2FQTtwpouJ%2FDJ2TS8zbJXgTCV%2BIycMnHIUnu2Y33Nkysf6Mj%2BgUcVM5BgwFlAlXRIHda9lpy%2FajTP6p20gcEHc0El%2Br52V9bj6kDC5hYfwOlLvsaf6IvA7nkOS6%2BW69o6ZZAmRt4o1eOGBspciK%2BLFnZTzFT946qBdkKZPVphcI%2F2B8F6%2FZ1PUzOjpuqebvP1iU7c1U4v9Tlg95mDM73NSFpee1TXyixRXGjqrKy%2BMhLR5OCdR27%2F%2BaBDQnz1GzK6zt2yTKGWZAkv9Z%2F9G2yITMTTaA%3D%3D

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
4364	alg.exe
4676	DiagnosticsHub.StandardCollector.Service.exe
3144	fxssvc.exe
228	elevation_service.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertToOptimize.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandClear.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ImportUndo.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\UnpublishRedo.png => C:\Users\Admin\Pictures\UnpublishRedo.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishRedo.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ConvertToOptimize.crw => C:\Users\Admin\Pictures\ConvertToOptimize.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ExpandClear.png => C:\Users\Admin\Pictures\ExpandClear.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ImportUndo.tif => C:\Users\Admin\Pictures\ImportUndo.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\SearchResize.crw => C:\Users\Admin\Pictures\SearchResize.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\SearchResize.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2629973501-4017243118-3254762364-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2629973501-4017243118-3254762364-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\F:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\fghfebpa.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\neiihaep.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\SysWOW64\olgihkjj.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\bcbmlmoa.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\SysWOW64\eackkofc.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\diagsvcs\apnpkhaf.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\cjdhmpon.tmp	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\gdbcnhap.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\feolbpdh.tmp	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\acaqdgdp.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2168	228	WerFault.exe	124
2556	932	WerFault.exe	104

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5056	vssadmin.exe
2052	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperStyle = "0"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
1476	chrome.exe
1476	chrome.exe
1416	chrome.exe
1416	chrome.exe
4348	chrome.exe
4348	chrome.exe
3472	chrome.exe
3472	chrome.exe
4364	alg.exe
4364	alg.exe
4364	alg.exe
4364	alg.exe
4364	alg.exe
4364	alg.exe
4364	alg.exe
4364	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5108	WMIC.exe
Token: SeSecurityPrivilege	5108	WMIC.exe
Token: SeTakeOwnershipPrivilege	5108	WMIC.exe
Token: SeLoadDriverPrivilege	5108	WMIC.exe
Token: SeSystemProfilePrivilege	5108	WMIC.exe
Token: SeSystemtimePrivilege	5108	WMIC.exe
Token: SeProfSingleProcessPrivilege	5108	WMIC.exe
Token: SeIncBasePriorityPrivilege	5108	WMIC.exe
Token: SeCreatePagefilePrivilege	5108	WMIC.exe
Token: SeBackupPrivilege	5108	WMIC.exe
Token: SeRestorePrivilege	5108	WMIC.exe
Token: SeShutdownPrivilege	5108	WMIC.exe
Token: SeDebugPrivilege	5108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5108	WMIC.exe
Token: SeRemoteShutdownPrivilege	5108	WMIC.exe
Token: SeUndockPrivilege	5108	WMIC.exe
Token: SeManageVolumePrivilege	5108	WMIC.exe
Token: 33	5108	WMIC.exe
Token: 34	5108	WMIC.exe
Token: 35	5108	WMIC.exe
Token: 36	5108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5108	WMIC.exe
Token: SeSecurityPrivilege	5108	WMIC.exe
Token: SeTakeOwnershipPrivilege	5108	WMIC.exe
Token: SeLoadDriverPrivilege	5108	WMIC.exe
Token: SeSystemProfilePrivilege	5108	WMIC.exe
Token: SeSystemtimePrivilege	5108	WMIC.exe
Token: SeProfSingleProcessPrivilege	5108	WMIC.exe
Token: SeIncBasePriorityPrivilege	5108	WMIC.exe
Token: SeCreatePagefilePrivilege	5108	WMIC.exe
Token: SeBackupPrivilege	5108	WMIC.exe
Token: SeRestorePrivilege	5108	WMIC.exe
Token: SeShutdownPrivilege	5108	WMIC.exe
Token: SeDebugPrivilege	5108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5108	WMIC.exe
Token: SeRemoteShutdownPrivilege	5108	WMIC.exe
Token: SeUndockPrivilege	5108	WMIC.exe
Token: SeManageVolumePrivilege	5108	WMIC.exe
Token: 33	5108	WMIC.exe
Token: 34	5108	WMIC.exe
Token: 35	5108	WMIC.exe
Token: 36	5108	WMIC.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe
Token: SeTakeOwnershipPrivilege	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Token: SeAuditPrivilege	3144	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4364	alg.exe
Token: SeBackupPrivilege	3924	vssvc.exe
Token: SeRestorePrivilege	3924	vssvc.exe
Token: SeAuditPrivilege	3924	vssvc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 3248	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	82
PID 676 wrote to memory of 3248	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	82
PID 676 wrote to memory of 3248	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	82
PID 3248 wrote to memory of 5108	3248	cmd.exe	84
PID 3248 wrote to memory of 5108	3248	cmd.exe	84
PID 3248 wrote to memory of 5108	3248	cmd.exe	84
PID 676 wrote to memory of 2268	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	85
PID 676 wrote to memory of 2268	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	85
PID 676 wrote to memory of 2268	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	85
PID 2268 wrote to memory of 4492	2268	cmd.exe	87
PID 2268 wrote to memory of 4492	2268	cmd.exe	87
PID 2268 wrote to memory of 4492	2268	cmd.exe	87
PID 676 wrote to memory of 4712	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	88
PID 676 wrote to memory of 4712	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	88
PID 676 wrote to memory of 4712	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	88
PID 4712 wrote to memory of 2112	4712	cmd.exe	90
PID 4712 wrote to memory of 2112	4712	cmd.exe	90
PID 4712 wrote to memory of 2112	4712	cmd.exe	90
PID 676 wrote to memory of 3392	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	91
PID 676 wrote to memory of 3392	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	91
PID 676 wrote to memory of 2148	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	92
PID 676 wrote to memory of 2148	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	92
PID 676 wrote to memory of 2148	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	92
PID 3392 wrote to memory of 5056	3392	cmd.exe	95
PID 3392 wrote to memory of 5056	3392	cmd.exe	95
PID 2148 wrote to memory of 4104	2148	cmd.exe	96
PID 2148 wrote to memory of 4104	2148	cmd.exe	96
PID 2148 wrote to memory of 4104	2148	cmd.exe	96
PID 676 wrote to memory of 4288	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	98
PID 676 wrote to memory of 4288	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	98
PID 676 wrote to memory of 4288	676	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	98
PID 4288 wrote to memory of 4636	4288	cmd.exe	100
PID 4288 wrote to memory of 4636	4288	cmd.exe	100
PID 4288 wrote to memory of 4636	4288	cmd.exe	100
PID 1416 wrote to memory of 3788	1416	chrome.exe	110
PID 1416 wrote to memory of 3788	1416	chrome.exe	110
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112
PID 1416 wrote to memory of 4888	1416	chrome.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe -a 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "wmic csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    PID:2112
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "arp -a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:4636
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  PID:2180
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffdf5114f50,0x7ffdf5114f60,0x7ffdf5114f70
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6882544358440060313,16130862137309391431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 228 -s 404
  2⤵
  - Program crash
  PID:2168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 228 -ip 228
1⤵
PID:4620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 932 -ip 932
1⤵
PID:5084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 932 -s 1760
1⤵
- Program crash
PID:2556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.8MB

MD5
12bac4e0c33fcafa937f81f702a949d4

SHA1
aff39c54a6a66d4e13d5e8d41006c28a1c62c6ec

SHA256
d55f15a64b3e2878d99e183d5da67affa0f6bb9182b787364980a2afff3ae084

SHA512
680261aa10080425b6052b4fa9d8c3f98cd0b12529ec19f3b40f0ccd1fb8287fb332b8ad2056bd67fe0a37395739cff78b0b9fce4d8def60625df58d1307282a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
14131c42e1bbe7900672699f7e78fbab

SHA1
2e5f331d47b8b39bc21a9133a5e46677c4a2ec87

SHA256
7ccfe07efb1108df01f312ceb42c802c17285805557c779f32bbdce6096952ae

SHA512
6884a8943183a70c4c6b0f857ee6316027e6f326f19f1ba33ac97e483ffc468bac1d97fd459a4545d1c93b143b93c279a79ada75434e88a09d5e0e2e5af3d084

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
e4d7ce746224b158b9f7d670a047afa0

SHA1
946baca71d95b05a0309d2c147e5746ce2dbf7a6

SHA256
8f91af819d13c909abbd3b2cff9a1f375f443edf61d1dac0b18ecf3c85093ea4

SHA512
f06ba0976a61aa9b8ebdba2a1288e233af4574e40da01585dff4e6d94c1d32becd078e255dae4cd8f710fb243a54f5489bbf29c92e6c196fa13e67095352f94b

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
af5f92eefb668a8a53832ba190d513e3

SHA1
36e06c96215148194df9b0ddd11c9acd9ef204f4

SHA256
1421d7e961128bc026855afd7ba2ea7209a312bc432f7a71fecf369bcf012729

SHA512
60a519e400311d06b15ebdee922e05ca77cc6c1d373f478c9e9e3fcfcef8215871c6d7253581aa06b54ba79913b080c4bdf437f31f588ab3f23cafe0461f03b2

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.8MB

MD5
12bac4e0c33fcafa937f81f702a949d4

SHA1
aff39c54a6a66d4e13d5e8d41006c28a1c62c6ec

SHA256
d55f15a64b3e2878d99e183d5da67affa0f6bb9182b787364980a2afff3ae084

SHA512
680261aa10080425b6052b4fa9d8c3f98cd0b12529ec19f3b40f0ccd1fb8287fb332b8ad2056bd67fe0a37395739cff78b0b9fce4d8def60625df58d1307282a

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
a926651e4077039ee03066016510fed8

SHA1
ddd5b8a1d524c248af5b1e1fe3a4b7ab2aa5103b

SHA256
185380239979f86391b207904ce82dcda7b556106bef28cddb3feb5d4923079c

SHA512
bf4b1c76f99d3b08fe0f84d268179835e85a44adb042775fb8c10df891c321f98363236a15749da55ff89ab6bcfe9c7c192c3bb6f4c2b77906afd46af6af8a88

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.0MB

MD5
e4d7ce746224b158b9f7d670a047afa0

SHA1
946baca71d95b05a0309d2c147e5746ce2dbf7a6

SHA256
8f91af819d13c909abbd3b2cff9a1f375f443edf61d1dac0b18ecf3c85093ea4

SHA512
f06ba0976a61aa9b8ebdba2a1288e233af4574e40da01585dff4e6d94c1d32becd078e255dae4cd8f710fb243a54f5489bbf29c92e6c196fa13e67095352f94b

Download Submit
memory/676-134-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/676-162-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/676-145-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/676-146-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3144-152-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/3144-153-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4364-148-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4364-155-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4364-159-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4676-150-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4676-164-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download