Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:57
Static task
static1
Behavioral task
behavioral1
Sample
66da6bd2b703134d7b74901f8a059419.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
66da6bd2b703134d7b74901f8a059419.dll
Resource
win10v20201028
General
-
Target
66da6bd2b703134d7b74901f8a059419.dll
-
Size
5.0MB
-
MD5
66da6bd2b703134d7b74901f8a059419
-
SHA1
6ccd5843205e31b34fecdc53ca8917abe70e961c
-
SHA256
5527e5ed8fb971e705ebfe16f68e7a1175d80bdbfa92af672223fdc556f4fa9d
-
SHA512
76af3d35d378a412e9e00c0baaf9897b6cfac945107f980b8768cab90e614499d724a87de05d3a6ea1195acc1eba45cfeb9ee6871b93e672c36c56fafd1d44b2
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4204 created 4980 4204 WerFault.exe mssecsvc.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
ServiceHost packer 13 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/4980-8-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-12-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-14-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-16-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-17-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-15-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-13-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-18-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-19-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-20-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-21-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-22-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4980-23-0x0000000000000000-mapping.dmp servicehost -
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 4980 mssecsvc.exe 4260 mssecsvc.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Y4JFUBT6.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Y4JFUBT6.cookie mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4204 4980 WerFault.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
mssecsvc.exemssecsvc.exeWerFault.exepid process 4980 mssecsvc.exe 4980 mssecsvc.exe 4260 mssecsvc.exe 4260 mssecsvc.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe -
Suspicious behavior: MapViewOfSection 122 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4980 mssecsvc.exe 4260 mssecsvc.exe 4260 mssecsvc.exe 4260 mssecsvc.exe 4260 mssecsvc.exe 4260 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
mssecsvc.exemssecsvc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4980 mssecsvc.exe Token: SeDebugPrivilege 4260 mssecsvc.exe Token: SeRestorePrivilege 4204 WerFault.exe Token: SeBackupPrivilege 4204 WerFault.exe Token: SeDebugPrivilege 4204 WerFault.exe -
Suspicious use of WriteProcessMemory 738 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 4764 wrote to memory of 4920 4764 rundll32.exe rundll32.exe PID 4764 wrote to memory of 4920 4764 rundll32.exe rundll32.exe PID 4764 wrote to memory of 4920 4764 rundll32.exe rundll32.exe PID 4920 wrote to memory of 4980 4920 rundll32.exe mssecsvc.exe PID 4920 wrote to memory of 4980 4920 rundll32.exe mssecsvc.exe PID 4920 wrote to memory of 4980 4920 rundll32.exe mssecsvc.exe PID 4980 wrote to memory of 544 4980 mssecsvc.exe winlogon.exe PID 4980 wrote to memory of 544 4980 mssecsvc.exe winlogon.exe PID 4980 wrote to memory of 544 4980 mssecsvc.exe winlogon.exe PID 4980 wrote to memory of 544 4980 mssecsvc.exe winlogon.exe PID 4980 wrote to memory of 544 4980 mssecsvc.exe winlogon.exe PID 4980 wrote to memory of 544 4980 mssecsvc.exe winlogon.exe PID 4980 wrote to memory of 628 4980 mssecsvc.exe lsass.exe PID 4980 wrote to memory of 628 4980 mssecsvc.exe lsass.exe PID 4980 wrote to memory of 628 4980 mssecsvc.exe lsass.exe PID 4980 wrote to memory of 628 4980 mssecsvc.exe lsass.exe PID 4980 wrote to memory of 628 4980 mssecsvc.exe lsass.exe PID 4980 wrote to memory of 628 4980 mssecsvc.exe lsass.exe PID 4980 wrote to memory of 704 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 704 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 704 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 704 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 704 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 704 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 708 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 708 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 708 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 708 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 708 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 708 4980 mssecsvc.exe fontdrvhost.exe PID 4980 wrote to memory of 760 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 760 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 760 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 760 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 760 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 760 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 796 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 796 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 796 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 796 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 796 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 796 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 848 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 848 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 848 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 848 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 848 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 848 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 900 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 900 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 900 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 900 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 900 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 900 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 948 4980 mssecsvc.exe dwm.exe PID 4980 wrote to memory of 948 4980 mssecsvc.exe dwm.exe PID 4980 wrote to memory of 948 4980 mssecsvc.exe dwm.exe PID 4980 wrote to memory of 948 4980 mssecsvc.exe dwm.exe PID 4980 wrote to memory of 948 4980 mssecsvc.exe dwm.exe PID 4980 wrote to memory of 948 4980 mssecsvc.exe dwm.exe PID 4980 wrote to memory of 348 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 348 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 348 4980 mssecsvc.exe svchost.exe PID 4980 wrote to memory of 348 4980 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b41⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66da6bd2b703134d7b74901f8a059419.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66da6bd2b703134d7b74901f8a059419.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 12325⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
07251eabca6cea8e9cb4ad38395c3a03
SHA1a3a786c9bc65ee4669eafa57dff21576034c5f8b
SHA25636271570082f46c90e4f0f6045d95c5df42bdefc0f9d437983634586c8a87949
SHA5129e0eb7d289163865ac61838b883a87b0de65b6be92fc1666f5fd9534a46f1e1cbb219a14735a4fe5b94b798e438cb0334bb9d2ebbd2b7b4c247eecbf3df88c7b
-
C:\Windows\mssecsvc.exeMD5
07251eabca6cea8e9cb4ad38395c3a03
SHA1a3a786c9bc65ee4669eafa57dff21576034c5f8b
SHA25636271570082f46c90e4f0f6045d95c5df42bdefc0f9d437983634586c8a87949
SHA5129e0eb7d289163865ac61838b883a87b0de65b6be92fc1666f5fd9534a46f1e1cbb219a14735a4fe5b94b798e438cb0334bb9d2ebbd2b7b4c247eecbf3df88c7b
-
C:\Windows\mssecsvc.exeMD5
07251eabca6cea8e9cb4ad38395c3a03
SHA1a3a786c9bc65ee4669eafa57dff21576034c5f8b
SHA25636271570082f46c90e4f0f6045d95c5df42bdefc0f9d437983634586c8a87949
SHA5129e0eb7d289163865ac61838b883a87b0de65b6be92fc1666f5fd9534a46f1e1cbb219a14735a4fe5b94b798e438cb0334bb9d2ebbd2b7b4c247eecbf3df88c7b
-
memory/4204-9-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/4204-24-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/4204-10-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/4920-2-0x0000000000000000-mapping.dmp
-
memory/4980-14-0x0000000000000000-mapping.dmp
-
memory/4980-13-0x0000000000000000-mapping.dmp
-
memory/4980-12-0x0000000000000000-mapping.dmp
-
memory/4980-7-0x000000007FE90000-0x000000007FE9C000-memory.dmpFilesize
48KB
-
memory/4980-16-0x0000000000000000-mapping.dmp
-
memory/4980-17-0x0000000000000000-mapping.dmp
-
memory/4980-15-0x0000000000000000-mapping.dmp
-
memory/4980-8-0x0000000000000000-mapping.dmp
-
memory/4980-18-0x0000000000000000-mapping.dmp
-
memory/4980-19-0x0000000000000000-mapping.dmp
-
memory/4980-20-0x0000000000000000-mapping.dmp
-
memory/4980-21-0x0000000000000000-mapping.dmp
-
memory/4980-22-0x0000000000000000-mapping.dmp
-
memory/4980-23-0x0000000000000000-mapping.dmp
-
memory/4980-3-0x0000000000000000-mapping.dmp