{
	"id": "f486cc8e-b428-4483-bd9e-f5baf31c955b",
	"created_at": "2026-04-06T00:15:53.143587Z",
	"updated_at": "2026-04-10T03:21:47.431323Z",
	"deleted_at": null,
	"sha1_hash": "893942db95a729f1e032e695fcebb09f814eda3a",
	"title": "Parent PID Spoofing (Stage 2) Ataware Ransomware - Part 0x3 - Securityinbits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72224,
	"plain_text": "Parent PID Spoofing (Stage 2) Ataware Ransomware - Part 0x3 -\r\nSecurityinbits\r\nBy Ayush Anand\r\nPublished: 2019-05-14 · Archived: 2026-04-05 16:49:14 UTC\r\nAtaware Ransomware Stage 2 uses Parent PID Spoofing technique to change its parent PID to lsass.exe and this\r\narticle is also referred to in Mitre Attack website [4]. You may download the ATAPIConfiguration.exe file from\r\nANY.RUN (MD5: 04a2e6400b22a3a5e5e277eceaf2ce0c)\r\nOverview of ATAPIConfiguration.exe (Stage 2)\r\nStage 2 downloads the final Ataware Ransomware (ATAPIUpdtr.exe) from CC which can encrypt files. Then, it\r\nuses Parent PID Spoofing to change the parent PID to lsass.exe before executing it.\r\nCONTENTS\r\n1. Static Analysis\r\n2. Parent PID Spoofing\r\n3. Analysis steps in Ghidra\r\n4. Conclusion\r\n5. References\r\nStatic Analysis\r\n32bit PE, compiled using GCC MINGW\r\nNothing interesting in overlay, no resources\r\nCompiler timestamp invalid is 1997\r\nFile contain TLS callback but nothing interesting\r\nStrings\r\nBased on the strings berylia[.]net and /index/, we can guess that malware may be downloading something.\r\nwininet.dll\r\nInternetConnectW\r\nberylia.net\r\nHttpOpenRequestW\r\n/index/\r\nGET\r\nInternetQueryOptionW\r\nInternetSetOptionW\r\nhttps://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3\r\nPage 1 of 3\n\nHttpSendRequestA\r\nTEMP\r\nkernel32.dll\r\nCreateFileW\r\nInternetReadFile\r\nWriteFile\r\nInternetCloseHandle\r\nAdvapi32.dll\r\nLookupPrivilegeValueW\r\nAdjustTokenPrivileges\r\nOpenThreadToken\r\nImpersonateSelf\r\nSeDebugPrivilege\r\nCreateToolhelp32Snapshot\r\nProcess32FirstW\r\nProcess32NextW\r\nlsass.exe\r\nOpenProcess\r\nInitializeProcThreadAttributeList\r\nUpdateProcThreadAttribute\r\nCreateProcessA\r\nParent PID Spoofing\r\nStage 2 mainly uses InitializeProcThreadAttributeList, UpdateProcThreadAttribute \u0026 CreateProcessA with\r\nSTARTUPINFOEXA structure API for spoofing. Didier Stevens already blogged about this in 2009 [1], “Normally\r\nthe parent process of a new process is the process that created the new process (via CreateProcess). But when\r\nusing STARTUPINFOEX with the right LPPROC_THREAD_ATTRIBUTE_LIST to create a process, you can\r\narbitrarily specify the parent process, provided you have the debug rights.” Before spoofing, this Stage 2 enables\r\nSeDebugPrivilege of current thread.\r\nUpdateProcThreadAttribute function[2] is called with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS\r\n(0x00020000) attribute with the handle of lsass.exe. At last, CreateProcessA is called with STARTUPINFOEXA\r\nStructure which contain new StartupInfoEx.lpAttributeList and creation flag 0x80010\r\n(EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE) for creating new process with different\r\nParent PID.\r\nAnalysis steps in Ghidra\r\n1. Navigate to entry function, then to WinMain address @ 0x4013dd as shown below\r\n2. We will concentrate on download_spoof_parent_process_exe (0x40208b) in main function as shown below\r\n3. Before any rename/comment @ 0x401cb7\r\nhttps://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3\r\nPage 2 of 3\n\n4. This function contains two main functions FUN_00401b91() \u0026 FUN_00401579().\r\n5. Let’s focus on FUN_00401b91 (adjust_priv_current_thread_sedebug), this function enables\r\nSeDebugPrivilege of current thread.\r\ngrade\r\nTip: LookupPrivilegeValueW \u0026 AdjustTokenPrivileges API are very common in malware when they want to\r\nenable SeDebugPrivilege privilege. For details, please check this msdn [3].\r\n6. FUN_00401579()/download_save_ATAPIUpdtr_exe function download the file from CC\r\nhxxps://berylia[.]net/index/ and save it to $temp directory as ATAPIUpdtr.exe.\r\n7. Parent PID Spoofing is shown below in the final code download_spoof_parent_process_exe.\r\nDynamic Analysis using Sysmon\r\nFile Create event Sysmon\r\nHere you can see Process Create with spoofing in action with Parent Image lsass.exe.\r\nConclusion\r\nAnalysed Parent PID Spoofing and saw this in action using Sysmon\r\nMalware uses this technique to evade detection which is based on parent-child process\r\nWe understood how malware author can enable SeDebugPrivilege\r\nThanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.\r\nFor more updates and exclusive content, subscribe to our newsletter. Stay sharp. Keep defending.😊\r\nJoin 150+ subscribers who get 0x1 actionable security bit every week.\r\nSource: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3\r\nhttps://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3"
	],
	"report_names": [
		"parent-pid-spoofing-stage-2-ataware-ransomware-part-3"
	],
	"threat_actors": [],
	"ts_created_at": 1775434553,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/893942db95a729f1e032e695fcebb09f814eda3a.pdf",
		"text": "https://archive.orkl.eu/893942db95a729f1e032e695fcebb09f814eda3a.txt",
		"img": "https://archive.orkl.eu/893942db95a729f1e032e695fcebb09f814eda3a.jpg"
	}
}