Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 12:03
General
-
Target
64.exe
-
Size
1.6MB
-
MD5
2510bc30669edc05f9aeb06f5c92bed2
-
SHA1
3ac2a1e223d74323c18c9d4788ec3195c382dc64
-
SHA256
428280c60495d98bb323401c877783e641d21f649684fbacbb29bc8067bf6635
-
SHA512
9140358e8b8587b415ef65f0f13005920cf98ea3e98bf984aded7e1a10408b9a7f8bb4bde22de5e698f6ec3bf9d32abca849194e0b1c9daa8cb08961d03bddfb
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
-
Stops running service(s) 3 TTPs
-
Drops file in Windows directory 39 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 9 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\64.exe"C:\Users\Admin\AppData\Local\Temp\64.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Help\dxdiag.exe"C:\Windows\Help\dxdiag.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\any.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\Ms\svchost.exesvchost install MSSQLD "C:\Windows\Fonts\Ms\cm.bat"3⤵
- Executes dropped EXE
-
C:\Windows\Fonts\Ms\svchost.exesvchost install "MSSQLD" C:\Windows\Fonts\Ms\cm.bat3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc config "MSSQLD" start= AUTO3⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost start "MSSQLD"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet start "MSSQLD"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "MSSQLD"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "MicrosoftMsql"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MicrosoftMsql"4⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost stop "MicrosoftMsql"3⤵
- Executes dropped EXE
-
C:\Windows\Fonts\Ms\svchost.exesvchost remove "MicrosoftMsql" confirm3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc delete "MicrosoftMsql"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN "At8" /TR "C:\Windows\Fonts\Ms\neibu.bat" /SC daily /ST 10:40:00 /RU SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\windows\tasks\At*.job3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\System32\Tasks\At*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At* /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\net.exenet start schedule3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule4⤵
-
C:\Windows\SysWOW64\sc.exesc start schedule3⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost start schedule3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN "At8" /TR "C:\Windows\Fonts\Ms\neibu.bat" /SC daily /ST 10:40:00 /RU SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\windows\tasks\At*.job3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\Windows\System32\Tasks\At*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At8.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At8.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At8 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At8 /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Msql\*.* /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Msql\*.* /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\Fonts\Msql\*.*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\Fonts\Msql3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ss.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im c32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im c64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im service.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ll.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Ms\svchost.exeC:\Windows\Fonts\Ms\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\Ms\any.batMD5
f3ce82845d4d64d0083bef0bbcabe64b
SHA115161c5ddfeecf09c85150af69e9bcb346896194
SHA256a34508f4fd08a101c6e6fa66eeb73f911c2de4232c9efe6c0034c91ac3e891c9
SHA5127109a3e522c2c62aaf81ec78857c6a90628b296643bf78f54522af02dfaa7fe64e0b746d2d08b35b8af5d0277edac628c4a6f462e6f102750f10ae2a47bad7c2
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\svchost.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\svchost.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
memory/188-166-0x0000000000000000-mapping.dmp
-
memory/408-161-0x0000000000000000-mapping.dmp
-
memory/412-117-0x0000000000000000-mapping.dmp
-
memory/636-168-0x0000000000000000-mapping.dmp
-
memory/688-157-0x0000000000000000-mapping.dmp
-
memory/712-151-0x0000000000000000-mapping.dmp
-
memory/716-162-0x0000000000000000-mapping.dmp
-
memory/764-192-0x0000000000000000-mapping.dmp
-
memory/764-144-0x0000000000000000-mapping.dmp
-
memory/800-156-0x0000000000000000-mapping.dmp
-
memory/892-155-0x0000000000000000-mapping.dmp
-
memory/900-191-0x0000000000000000-mapping.dmp
-
memory/928-126-0x0000000000000000-mapping.dmp
-
memory/928-193-0x0000000000000000-mapping.dmp
-
memory/964-178-0x0000000000000000-mapping.dmp
-
memory/1236-190-0x0000000000000000-mapping.dmp
-
memory/1236-119-0x0000000000000000-mapping.dmp
-
memory/1328-149-0x0000000000000000-mapping.dmp
-
memory/1376-163-0x0000000000000000-mapping.dmp
-
memory/1460-135-0x0000000000000000-mapping.dmp
-
memory/1484-147-0x0000000000000000-mapping.dmp
-
memory/1568-172-0x0000000000000000-mapping.dmp
-
memory/2080-134-0x0000000000000000-mapping.dmp
-
memory/2112-188-0x0000000000000000-mapping.dmp
-
memory/2116-194-0x0000000000000000-mapping.dmp
-
memory/2140-152-0x0000000000000000-mapping.dmp
-
memory/2200-146-0x0000000000000000-mapping.dmp
-
memory/2200-169-0x0000000000000000-mapping.dmp
-
memory/2236-175-0x0000000000000000-mapping.dmp
-
memory/2304-145-0x0000000000000000-mapping.dmp
-
memory/2336-137-0x0000000000000000-mapping.dmp
-
memory/2624-164-0x0000000000000000-mapping.dmp
-
memory/2644-141-0x0000000000000000-mapping.dmp
-
memory/2696-129-0x0000000000000000-mapping.dmp
-
memory/2708-148-0x0000000000000000-mapping.dmp
-
memory/2884-176-0x0000000000000000-mapping.dmp
-
memory/2884-150-0x0000000000000000-mapping.dmp
-
memory/2900-122-0x0000000000000000-mapping.dmp
-
memory/3036-189-0x0000000000000000-mapping.dmp
-
memory/3148-143-0x0000000000000000-mapping.dmp
-
memory/3164-173-0x0000000000000000-mapping.dmp
-
memory/3168-186-0x0000000000000000-mapping.dmp
-
memory/3180-139-0x0000000000000000-mapping.dmp
-
memory/3180-184-0x0000000000000000-mapping.dmp
-
memory/3192-167-0x0000000000000000-mapping.dmp
-
memory/3232-171-0x0000000000000000-mapping.dmp
-
memory/3268-165-0x0000000000000000-mapping.dmp
-
memory/3284-177-0x0000000000000000-mapping.dmp
-
memory/3476-180-0x0000000000000000-mapping.dmp
-
memory/3568-183-0x0000000000000000-mapping.dmp
-
memory/3604-170-0x0000000000000000-mapping.dmp
-
memory/3700-154-0x0000000000000000-mapping.dmp
-
memory/3788-160-0x0000000000000000-mapping.dmp
-
memory/3872-136-0x0000000000000000-mapping.dmp
-
memory/3964-185-0x0000000000000000-mapping.dmp
-
memory/3968-138-0x0000000000000000-mapping.dmp
-
memory/3968-159-0x0000000000000000-mapping.dmp
-
memory/3976-187-0x0000000000000000-mapping.dmp
-
memory/4000-158-0x0000000000000000-mapping.dmp
-
memory/4008-182-0x0000000000000000-mapping.dmp
-
memory/4024-153-0x0000000000000000-mapping.dmp
-
memory/4024-179-0x0000000000000000-mapping.dmp
-
memory/4048-181-0x0000000000000000-mapping.dmp
-
memory/4080-124-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/4080-114-0x0000000000000000-mapping.dmp