effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3

Analysis

max time kernel
146s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
Size

407KB
MD5

60e7da890c323a6f0685d0b5fe8b8ead
SHA1

3716c45a6fc02b9be96951a5a7ce861536472af3
SHA256

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3
SHA512

c1a7d2cc8296776855a31a30960e1fe5861e269896261c31d817136390b86bc015b94018f7708cb2d75d80992acfa24203701f70e9ad947994123e50bca5045f
SSDEEP

12288:2gwj35X0zH2T07744h7NlOxSlcO0gz9BzNm:gz5X6HM0774876md/z4

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3556	bcdedit.exe
2224	bcdedit.exe
2408	bcdedit.exe
1628	bcdedit.exe
4720	bcdedit.exe
852	bcdedit.exe
2040	bcdedit.exe
1656	bcdedit.exe
1236	bcdedit.exe
3208	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

efuhe.exe

description ioc process

File created C:\Windows\system32\drivers\e576d41.sys efuhe.exe
Executes dropped EXE 1 IoCs

Processes:

efuhe.exe

pid process

1052 efuhe.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e576d41.sys	efuhe.exe

pid	process
1052	efuhe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

efuhe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	efuhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Efuhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wauqo\\efuhe.exe"	efuhe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe

description	pid	process	target process
PID 1612 set thread context of 4864	1612	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	cmd.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4112	1612	WerFault.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
2376	1052	WerFault.exe	efuhe.exe
1816	1612	WerFault.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
4660	1612	WerFault.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
1632	1612	WerFault.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
3336	1052	WerFault.exe	efuhe.exe
4604	1052	WerFault.exe	efuhe.exe
4336	1052	WerFault.exe	efuhe.exe
1828	1052	WerFault.exe	efuhe.exe
1624	1052	WerFault.exe	efuhe.exe
440	1052	WerFault.exe	efuhe.exe
3532	1052	WerFault.exe	efuhe.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "240"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exeefuhe.exe

pid	process
1612	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
1612	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe
1052	efuhe.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

efuhe.exe

description pid process

Token: SeShutdownPrivilege 1052 efuhe.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4936 LogonUI.exe

pid	process
668

description	pid	process
Token: SeShutdownPrivilege	1052	efuhe.exe

pid	process
4936	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exeefuhe.exe

description	pid	process	target process
PID 1612 wrote to memory of 1052	1612	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	efuhe.exe
PID 1612 wrote to memory of 1052	1612	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	efuhe.exe
PID 1612 wrote to memory of 1052	1612	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	efuhe.exe
PID 1052 wrote to memory of 3556	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 3556	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 852	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 852	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 4720	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 4720	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2224	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2224	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2408	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2408	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 1628	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 1628	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2040	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2040	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 1656	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 1656	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 1236	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 1236	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 3208	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 3208	1052	efuhe.exe	bcdedit.exe
PID 1052 wrote to memory of 2700	1052	efuhe.exe	sihost.exe
PID 1052 wrote to memory of 2700	1052	efuhe.exe	sihost.exe
PID 1052 wrote to memory of 2700	1052	efuhe.exe	sihost.exe
PID 1052 wrote to memory of 2700	1052	efuhe.exe	sihost.exe
PID 1052 wrote to memory of 2700	1052	efuhe.exe	sihost.exe
PID 1052 wrote to memory of 2836	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 2836	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 2836	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 2836	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 2836	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 2872	1052	efuhe.exe	taskhostw.exe
PID 1052 wrote to memory of 2872	1052	efuhe.exe	taskhostw.exe
PID 1052 wrote to memory of 2872	1052	efuhe.exe	taskhostw.exe
PID 1052 wrote to memory of 2872	1052	efuhe.exe	taskhostw.exe
PID 1052 wrote to memory of 2872	1052	efuhe.exe	taskhostw.exe
PID 1052 wrote to memory of 2492	1052	efuhe.exe	Explorer.EXE
PID 1052 wrote to memory of 2492	1052	efuhe.exe	Explorer.EXE
PID 1052 wrote to memory of 2492	1052	efuhe.exe	Explorer.EXE
PID 1052 wrote to memory of 2492	1052	efuhe.exe	Explorer.EXE
PID 1052 wrote to memory of 2492	1052	efuhe.exe	Explorer.EXE
PID 1052 wrote to memory of 776	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 776	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 776	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 776	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 776	1052	efuhe.exe	svchost.exe
PID 1052 wrote to memory of 3232	1052	efuhe.exe	DllHost.exe
PID 1052 wrote to memory of 3232	1052	efuhe.exe	DllHost.exe
PID 1052 wrote to memory of 3232	1052	efuhe.exe	DllHost.exe
PID 1052 wrote to memory of 3232	1052	efuhe.exe	DllHost.exe
PID 1052 wrote to memory of 3232	1052	efuhe.exe	DllHost.exe
PID 1052 wrote to memory of 3340	1052	efuhe.exe	StartMenuExperienceHost.exe
PID 1052 wrote to memory of 3340	1052	efuhe.exe	StartMenuExperienceHost.exe
PID 1052 wrote to memory of 3340	1052	efuhe.exe	StartMenuExperienceHost.exe
PID 1052 wrote to memory of 3340	1052	efuhe.exe	StartMenuExperienceHost.exe
PID 1052 wrote to memory of 3340	1052	efuhe.exe	StartMenuExperienceHost.exe
PID 1052 wrote to memory of 3408	1052	efuhe.exe	RuntimeBroker.exe
PID 1052 wrote to memory of 3408	1052	efuhe.exe	RuntimeBroker.exe
PID 1052 wrote to memory of 3408	1052	efuhe.exe	RuntimeBroker.exe
PID 1052 wrote to memory of 3408	1052	efuhe.exe	RuntimeBroker.exe
PID 1052 wrote to memory of 3408	1052	efuhe.exe	RuntimeBroker.exe
PID 1052 wrote to memory of 3508	1052	efuhe.exe	SearchApp.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2836

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
  "C:\Users\Admin\AppData\Local\Temp\effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\Wauqo\efuhe.exe
    "C:\Users\Admin\AppData\Local\Temp\Wauqo\efuhe.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3556
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2224
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2408
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1628
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4720
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:852
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2040
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1656
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1236
  - - C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 712
      4⤵
      Program crash
      PID:2376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 796
      4⤵
      Program crash
      PID:3336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 804
      4⤵
      Program crash
      PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 824
      4⤵
      Program crash
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 800
      4⤵
      Program crash
      PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 812
      4⤵
      Program crash
      PID:1624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 804
      4⤵
      Program crash
      PID:440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 944
      4⤵
      Program crash
      PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 780
    3⤵
    - Program crash
    PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 780
    3⤵
    - Program crash
    PID:1816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 804
    3⤵
    - Program crash
    PID:4660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 808
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BWW192A.bat"
    3⤵
    PID:4864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3748

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1612 -ip 1612
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1612 -ip 1612
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1052 -ip 1052
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1052 -ip 1052
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1612 -ip 1612
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1612 -ip 1612
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1612 -ip 1612
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1612 -ip 1612
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1052 -ip 1052
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1052 -ip 1052
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1052 -ip 1052
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1052 -ip 1052
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1052 -ip 1052
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1052 -ip 1052
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1052 -ip 1052
1⤵
PID:2944

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BWW192A.bat

Filesize
274B

MD5
b952b5106dbf75f1540d45b58fde1b60

SHA1
c6368250d6400ae01195b73c32857ad7fadadb79

SHA256
b2a3e307a3bbaa9b1ff16f0ec63f9c89d4b89ffc9fa37766203427cc9e77bbd5

SHA512
40c179a48f9d62f6d397e665b2dc9c0f322c56994c98f890913dfa89d232bf331750088fedca90963fc27bdacf42b808d4bf7464023f87299613ea8437525d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wauqo\efuhe.exe

Filesize
407KB

MD5
d0c19c29a007068d2a223a93366b68fa

SHA1
a6ef73c012a4ae97d23e4986b359ce0c4e85c936

SHA256
1508a5f3229b23ed7ec8da5e7e37d20007011082dcbc642cebf0e168cf946c4a

SHA512
77b7f14d4082399e82cb785d5eb05ceaa3a44d412a0bb4df298160c87976d19857a6cee4ebf445e4920d1fadadac933416fb167ecc8afaef5bb45b0527bb465b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wauqo\efuhe.exe

Filesize
407KB

MD5
d0c19c29a007068d2a223a93366b68fa

SHA1
a6ef73c012a4ae97d23e4986b359ce0c4e85c936

SHA256
1508a5f3229b23ed7ec8da5e7e37d20007011082dcbc642cebf0e168cf946c4a

SHA512
77b7f14d4082399e82cb785d5eb05ceaa3a44d412a0bb4df298160c87976d19857a6cee4ebf445e4920d1fadadac933416fb167ecc8afaef5bb45b0527bb465b

Download Submit
memory/852-142-0x0000000000000000-mapping.dmp

Download
memory/1052-170-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-134-0x0000000000000000-mapping.dmp

Download
memory/1052-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-138-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/1052-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-140-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/1052-171-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/1236-149-0x0000000000000000-mapping.dmp

Download
memory/1612-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1612-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1612-160-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1612-157-0x0000000002310000-0x0000000002379000-memory.dmp

Filesize
420KB

Download
memory/1612-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-146-0x0000000000000000-mapping.dmp

Download
memory/1656-148-0x0000000000000000-mapping.dmp

Download
memory/2040-147-0x0000000000000000-mapping.dmp

Download
memory/2224-144-0x0000000000000000-mapping.dmp

Download
memory/2408-145-0x0000000000000000-mapping.dmp

Download
memory/3208-150-0x0000000000000000-mapping.dmp

Download
memory/3556-141-0x0000000000000000-mapping.dmp

Download
memory/4720-143-0x0000000000000000-mapping.dmp

Download
memory/4864-164-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-163-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-158-0x0000000000000000-mapping.dmp

Download
memory/4864-165-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-166-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-167-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-168-0x00000000009D0000-0x0000000000A39000-memory.dmp

Filesize
420KB

Download
memory/4864-162-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-161-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4864-159-0x00000000009D0000-0x0000000000A39000-memory.dmp

Filesize
420KB

Download