Ghidra

Parent PID Spoofing (Stage 2) Ataware Ransomware – Part 0x3

May 14, 2019

Ataware, Ghidra, PE, Ransomware, Strings, Sysmon

Ataware Ransomware Stage 2 uses Parent PID Spoofing technique to change its parent PID to lsass.exe and this article is also referred to in Mitre Attack website [4]. You may download the ATAPIConfiguration.exe file from ANY.RUN (MD5: 04a2e6400b22a3a5e5e277eceaf2ce0c) Please check previous posts, if you are interested in the complete infection…

UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

May 7, 2019

Ataware, CMSTP, Ghidra, PE, Ransomware, Strings, Sysmon, T1088, T1191, T1218

Ataware Ransomware uses UAC bypass using CMSTPLUA COM interface in ATAPIinit.exe (Stage 1). It was downloaded from Dropbox url when the user opened the malicious Excel and enabled the Macro. For details, please check the previous Excel 4.0 Macro Analysis – Ataware Ransomware Part 1. You may download the ATAPIinit.exe…