a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291

General

Target

a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe
Size

1.3MB
MD5

ce91f8d31da74fe243e6404a8866b2c1
SHA1

3929bb670d830dc1b990a338483d9fb389e63308
SHA256

a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291
SHA512

d0525dfcd869d2dc12045cafb31872c8b9c585ed85de002eb5027f28a7e59150bfd408134fcf947b0858b819c64148b760ca5efee4f61580ac7ef493a224391b

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid process

1316 icacls.exe
1352 icacls.exe
1616 icacls.exe
1716 icacls.exe
1028 takeown.exe
1896 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1028 takeown.exe
1896 takeown.exe
1316 icacls.exe
1352 icacls.exe
1616 icacls.exe
1716 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetakeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 1028 takeown.exe
Token: SeTakeOwnershipPrivilege 1896 takeown.exe

pid	process
1316	icacls.exe
1352	icacls.exe
1616	icacls.exe
1716	icacls.exe
1028	takeown.exe
1896	takeown.exe

pid	process
1028	takeown.exe
1896	takeown.exe
1316	icacls.exe
1352	icacls.exe
1616	icacls.exe
1716	icacls.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1028	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 1748 wrote to memory of 2012	1748	a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe	cmd.exe
PID 2012 wrote to memory of 1004	2012	cmd.exe	fsutil.exe
PID 2012 wrote to memory of 1004	2012	cmd.exe	fsutil.exe
PID 2012 wrote to memory of 1004	2012	cmd.exe	fsutil.exe
PID 2012 wrote to memory of 1004	2012	cmd.exe	fsutil.exe
PID 2012 wrote to memory of 1700	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1700	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1700	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1700	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1360	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1360	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1360	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1360	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1916	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1916	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1916	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1916	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 900	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 900	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 900	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 900	2012	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 472	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 472	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 472	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 472	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 908	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 908	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 908	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 908	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1152	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1152	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1152	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1152	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 828	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 828	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 828	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 828	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 444	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 444	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 444	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 444	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1672	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1672	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1672	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1672	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 576	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 576	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 576	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 576	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1996	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1996	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1996	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1996	2012	cmd.exe	sc.exe
PID 2012 wrote to memory of 1840	2012	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe
"C:\Users\Admin\AppData\Local\Temp\a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetupComplete.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\fsutil.exe
fsutil dirty query C:
3⤵
PID:1004

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
PID:1700

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule all
3⤵
PID:1360

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
3⤵
PID:1916

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles settings inboundusernotification enable
3⤵
PID:900

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles settings remotemanagement disable
3⤵
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
3⤵
PID:472

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
3⤵
PID:908

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
3⤵
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
3⤵
PID:828

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
3⤵
PID:444

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
3⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
3⤵
PID:576

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
3⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
3⤵
PID:1840

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
3⤵
PID:1012

C:\Windows\SysWOW64\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
3⤵
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
3⤵
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
3⤵
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Autochk\Proxy"
3⤵
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
3⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
3⤵
PID:1784

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
3⤵
PID:776

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
3⤵
PID:592

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
3⤵
PID:1700

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
3⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
3⤵
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /change /disable /tn "\Microsoft\Windows\Maintenance\WinSAT"
3⤵
PID:648

C:\Windows\SysWOW64\sc.exe
sc stop Alerter
3⤵
PID:112

C:\Windows\SysWOW64\sc.exe
sc stop Browser
3⤵
PID:1916

C:\Windows\SysWOW64\sc.exe
sc stop bthserv
3⤵
PID:1652

C:\Windows\SysWOW64\sc.exe
sc stop cisvc
3⤵
PID:580

C:\Windows\SysWOW64\sc.exe
sc stop ClipSrv
3⤵
PID:1932

C:\Windows\SysWOW64\sc.exe
sc stop CscService
3⤵
PID:1172

C:\Windows\SysWOW64\sc.exe
sc stop cscsvc
3⤵
PID:1908

C:\Windows\SysWOW64\sc.exe
sc stop DiagTrack
3⤵
PID:472

C:\Windows\SysWOW64\sc.exe
sc stop ERSvc
3⤵
PID:1596

C:\Windows\SysWOW64\sc.exe
sc stop helpsvc
3⤵
PID:1816

C:\Windows\SysWOW64\sc.exe
sc stop HbHost
3⤵
PID:1532

C:\Windows\SysWOW64\sc.exe
sc stop HidServ
3⤵
PID:1928

C:\Windows\SysWOW64\sc.exe
sc stop HvHost
3⤵
PID:1960

C:\Windows\SysWOW64\sc.exe
sc stop LanmanServer
3⤵
PID:1896

C:\Windows\SysWOW64\sc.exe
sc stop lfsvc
3⤵
PID:672

C:\Windows\SysWOW64\sc.exe
sc stop LmHosts
3⤵
PID:1616

C:\Windows\SysWOW64\sc.exe
sc stop MapsBroker
3⤵
PID:1716

C:\Windows\SysWOW64\sc.exe
sc stop Messenger
3⤵
PID:1740

C:\Windows\SysWOW64\sc.exe
sc stop mnmsrvc
3⤵
PID:1580

C:\Windows\SysWOW64\sc.exe
sc stop NetDDE
3⤵
PID:1600

C:\Windows\SysWOW64\sc.exe
sc stop NetDDEdsdm
3⤵
PID:1640

C:\Windows\SysWOW64\sc.exe
sc stop Netlogon
3⤵
PID:2004

C:\Windows\SysWOW64\sc.exe
sc stop PeerDistSvc
3⤵
PID:1004

C:\Windows\SysWOW64\sc.exe
sc stop PhoneSvc
3⤵
PID:268

C:\Windows\SysWOW64\sc.exe
sc stop PolicyAgent
3⤵
PID:524

C:\Windows\SysWOW64\sc.exe
sc stop RDSessMgr
3⤵
PID:1488

C:\Windows\SysWOW64\sc.exe
sc stop RemoteAccess
3⤵
PID:552

C:\Windows\SysWOW64\sc.exe
sc stop RemoteRegistry
3⤵
PID:1360

C:\Windows\SysWOW64\sc.exe
sc stop Retaildemo
3⤵
PID:1100

C:\Windows\SysWOW64\sc.exe
sc stop RpcLocator
3⤵
PID:1056

C:\Windows\SysWOW64\sc.exe
sc stop RSVP
3⤵
PID:340

C:\Windows\SysWOW64\sc.exe
sc stop SCardSvr
3⤵
PID:568

C:\Windows\SysWOW64\sc.exe
sc stop SCardDrv
3⤵
PID:1860

C:\Windows\SysWOW64\sc.exe
sc stop SEMgrsvc
3⤵
PID:1988

C:\Windows\SysWOW64\sc.exe
sc stop SensorService
3⤵
PID:1940

C:\Windows\SysWOW64\sc.exe
sc stop SensrSvc
3⤵
PID:1544

C:\Windows\SysWOW64\sc.exe
sc stop Smsrouter
3⤵
PID:472

C:\Windows\SysWOW64\sc.exe
sc stop Snmptrap
3⤵
PID:1364

C:\Windows\SysWOW64\sc.exe
sc stop SSDPSRV
3⤵
PID:828

C:\Windows\SysWOW64\sc.exe
sc stop SysmonLog
3⤵
PID:1704

C:\Windows\SysWOW64\sc.exe
sc stop TlntSvr
3⤵
PID:1928

C:\Windows\SysWOW64\sc.exe
sc stop uploadmgr
3⤵
PID:1184

C:\Windows\SysWOW64\sc.exe
sc stop Upnphost
3⤵
PID:1996

C:\Windows\SysWOW64\sc.exe
sc stop UPS
3⤵
PID:1316

C:\Windows\SysWOW64\sc.exe
sc stop vmicguestinterface
3⤵
PID:672

C:\Windows\SysWOW64\sc.exe
sc stop vmicheartbeat
3⤵
PID:1012

C:\Windows\SysWOW64\sc.exe
sc stop vmickvpexchange
3⤵
PID:980

C:\Windows\SysWOW64\sc.exe
sc stop vmicrdv
3⤵
PID:996

C:\Windows\SysWOW64\sc.exe
sc stop vmicshutdown
3⤵
PID:1740

C:\Windows\SysWOW64\sc.exe
sc stop vmictimesync
3⤵
PID:1764

C:\Windows\SysWOW64\sc.exe
sc stop vmicvss
3⤵
PID:1300

C:\Windows\SysWOW64\sc.exe
sc stop vmicvmsession
3⤵
PID:1668

C:\Windows\SysWOW64\sc.exe
sc stop WebClient
3⤵
PID:2004

C:\Windows\SysWOW64\sc.exe
sc stop Wersvc
3⤵
PID:1892

C:\Windows\SysWOW64\sc.exe
sc stop W32Time
3⤵
PID:1604

C:\Windows\SysWOW64\sc.exe
sc stop winrm
3⤵
PID:440

C:\Windows\SysWOW64\sc.exe
sc stop WmdmPmSp
3⤵
PID:588

C:\Windows\SysWOW64\sc.exe
sc stop WmiApSrv
3⤵
PID:524

C:\Windows\SysWOW64\sc.exe
sc stop WMPNetworkSvc
3⤵
PID:1488

C:\Windows\SysWOW64\sc.exe
sc stop WZCSVC
3⤵
PID:1884

C:\Windows\SysWOW64\sc.exe
sc config Alerter start= disabled
3⤵
PID:648

C:\Windows\SysWOW64\sc.exe
sc config Browser start= disabled
3⤵
PID:1636

C:\Windows\SysWOW64\sc.exe
sc config bthserv start= disabled
3⤵
PID:1492

C:\Windows\SysWOW64\sc.exe
sc config cisvc start= disabled
3⤵
PID:1916

C:\Windows\SysWOW64\sc.exe
sc config ClipSrv start= disabled
3⤵
PID:1860

C:\Windows\SysWOW64\sc.exe
sc config CscService start= disabled
3⤵
PID:668

C:\Windows\SysWOW64\sc.exe
sc config cscsvc start= disabled
3⤵
PID:872

C:\Windows\SysWOW64\sc.exe
sc config DiagTrack start= disabled
3⤵
PID:1932

C:\Windows\SysWOW64\sc.exe
sc config ERSvc start= disabled
3⤵
PID:1940

C:\Windows\SysWOW64\sc.exe
sc config helpsvc start= disabled
3⤵
PID:824

C:\Windows\SysWOW64\sc.exe
sc config HbHost start= disabled
3⤵
PID:1908

C:\Windows\SysWOW64\sc.exe
sc config HidServ start= disabled
3⤵
PID:1336

C:\Windows\SysWOW64\sc.exe
sc config HvHost start= disabled
3⤵
PID:1112

C:\Windows\SysWOW64\sc.exe
sc config LanmanServer start= disabled
3⤵
PID:1092

C:\Windows\SysWOW64\sc.exe
sc config lfsvc start= disabled
3⤵
PID:1672

C:\Windows\SysWOW64\sc.exe
sc config LmHosts start= disabled
3⤵
PID:292

C:\Windows\SysWOW64\sc.exe
sc config MapsBroker start= disabled
3⤵
PID:804

C:\Windows\SysWOW64\sc.exe
sc config Messenger start= disabled
3⤵
PID:1532

C:\Windows\SysWOW64\sc.exe
sc config mnmsrvc start= disabled
3⤵
PID:576

C:\Windows\SysWOW64\sc.exe
sc config NetDDE start= disabled
3⤵
PID:1960

C:\Windows\SysWOW64\sc.exe
sc config NetDDEdsdm start= disabled
3⤵
PID:1348

C:\Windows\SysWOW64\sc.exe
sc config Netlogon start= disabled
3⤵
PID:1840

C:\Windows\SysWOW64\sc.exe
sc config PeerDistSvc start= disabled
3⤵
PID:928

C:\Windows\SysWOW64\sc.exe
sc config PhoneSvc start= disabled
3⤵
PID:1584

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= disabled
3⤵
PID:1520

C:\Windows\SysWOW64\sc.exe
sc config RDSessMgr start= disabled
3⤵
PID:956

C:\Windows\SysWOW64\sc.exe
sc config RemoteAccess start= disabled
3⤵
PID:1836

C:\Windows\SysWOW64\sc.exe
sc config RemoteRegistry start= disabled
3⤵
PID:1612

C:\Windows\SysWOW64\sc.exe
sc config Retaildemo start= disabled
3⤵
PID:1600

C:\Windows\SysWOW64\sc.exe
sc config RpcLocator start= disabled
3⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
sc config RSVP start= disabled
3⤵
PID:1120

C:\Windows\SysWOW64\sc.exe
sc config SCardDrv start= disabled
3⤵
PID:696

C:\Windows\SysWOW64\sc.exe
sc config SCardSvr start= disabled
3⤵
PID:1004

C:\Windows\SysWOW64\sc.exe
sc config SEMgrsvc start= disabled
3⤵
PID:268

C:\Windows\SysWOW64\sc.exe
sc config SensorService start= disabled
3⤵
PID:1700

C:\Windows\SysWOW64\sc.exe
sc config SensrSvc start= disabled
3⤵
PID:1516

C:\Windows\SysWOW64\sc.exe
sc config Smsrouter start= disabled
3⤵
PID:1824

C:\Windows\SysWOW64\sc.exe
sc config Snmptrap start= disabled
3⤵
PID:1560

C:\Windows\SysWOW64\sc.exe
sc config SSDPSRV start= disabled
3⤵
PID:548

C:\Windows\SysWOW64\sc.exe
sc config SysmonLog start= disabled
3⤵
PID:1608

C:\Windows\SysWOW64\sc.exe
sc config TlntSvr start= disabled
3⤵
PID:936

C:\Windows\SysWOW64\sc.exe
sc config uploadmgr start= disabled
3⤵
PID:1504

C:\Windows\SysWOW64\sc.exe
sc config Upnphost start= disabled
3⤵
PID:112

C:\Windows\SysWOW64\sc.exe
sc config UPS start= disabled
3⤵
PID:1016

C:\Windows\SysWOW64\sc.exe
sc config vmicguestinterface start= disabled
3⤵
PID:1968

C:\Windows\SysWOW64\sc.exe
sc config vmicheartbeat start= disabled
3⤵
PID:1652

C:\Windows\SysWOW64\sc.exe
sc config vmickvpexchange start= disabled
3⤵
PID:580

C:\Windows\SysWOW64\sc.exe
sc config vmicrdv start= disabled
3⤵
PID:1712

C:\Windows\SysWOW64\sc.exe
sc config vmicshutdown start= disabled
3⤵
PID:860

C:\Windows\SysWOW64\sc.exe
sc config vmictimesync start= disabled
3⤵
PID:1172

C:\Windows\SysWOW64\sc.exe
sc config vmicvmsession start= disabled
3⤵
PID:1544

C:\Windows\SysWOW64\sc.exe
sc config vmicvss start= disabled
3⤵
PID:864

C:\Windows\SysWOW64\sc.exe
sc config W32Time start= disabled
3⤵
PID:1364

C:\Windows\SysWOW64\sc.exe
sc config WebClient start= disabled
3⤵
PID:1780

C:\Windows\SysWOW64\sc.exe
sc config Wersvc start= disabled
3⤵
PID:756

C:\Windows\SysWOW64\sc.exe
sc config winrm start= disabled
3⤵
PID:752

C:\Windows\SysWOW64\sc.exe
sc config WmdmPmSp start= disabled
3⤵
PID:1816

C:\Windows\SysWOW64\sc.exe
sc config WmiApSrv start= disabled
3⤵
PID:1760

C:\Windows\SysWOW64\sc.exe
sc config WMPNetworkSvc start= disabled
3⤵
PID:1500

C:\Windows\SysWOW64\sc.exe
sc config WZCSVC start= disabled
3⤵
PID:2000

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winlogon.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\logonui.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\winlogon.exe /grant:r *S-1-2-1:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1316

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\winlogon.exe /remove:g Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1352

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\logonui.exe /grant:r *S-1-2-1:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1616

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\logonui.exe /remove:g Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1716

C:\Windows\SysWOW64\ROUTE.EXE
route -f
3⤵
PID:1620

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetupComplete.cmd
Filesize
7KB

MD5
fcc89e58c5b046a8d2c87aca544c02b3

SHA1
ebf1a16c838cd785225cfcc764292db099312f1f

SHA256
437c669010702539e319e00c5bafad509ed5b449325ba8839856977d7a8d4a29

SHA512
43d39db19456da49cc6d1db4cf41a5a177f0a1c82ea207606d7a587b228d8527bc858068b444a5c0761be507df16c473b9cfa5a2781755c145eb65d9af25e75e

Download Submit
memory/112-90-0x0000000000000000-mapping.dmp

Download
memory/268-113-0x0000000000000000-mapping.dmp

Download
memory/340-120-0x0000000000000000-mapping.dmp

Download
memory/444-72-0x0000000000000000-mapping.dmp

Download
memory/472-97-0x0000000000000000-mapping.dmp

Download
memory/472-68-0x0000000000000000-mapping.dmp

Download
memory/524-114-0x0000000000000000-mapping.dmp

Download
memory/552-116-0x0000000000000000-mapping.dmp

Download
memory/568-122-0x0000000000000000-mapping.dmp

Download
memory/576-74-0x0000000000000000-mapping.dmp

Download
memory/580-93-0x0000000000000000-mapping.dmp

Download
memory/592-85-0x0000000000000000-mapping.dmp

Download
memory/648-89-0x0000000000000000-mapping.dmp

Download
memory/672-104-0x0000000000000000-mapping.dmp

Download
memory/776-84-0x0000000000000000-mapping.dmp

Download
memory/828-71-0x0000000000000000-mapping.dmp

Download
memory/900-64-0x0000000000000000-mapping.dmp

Download
memory/908-69-0x0000000000000000-mapping.dmp

Download
memory/956-79-0x0000000000000000-mapping.dmp

Download
memory/1004-112-0x0000000000000000-mapping.dmp

Download
memory/1004-57-0x0000000000000000-mapping.dmp

Download
memory/1012-77-0x0000000000000000-mapping.dmp

Download
memory/1056-119-0x0000000000000000-mapping.dmp

Download
memory/1100-118-0x0000000000000000-mapping.dmp

Download
memory/1152-70-0x0000000000000000-mapping.dmp

Download
memory/1172-95-0x0000000000000000-mapping.dmp

Download
memory/1300-80-0x0000000000000000-mapping.dmp

Download
memory/1360-117-0x0000000000000000-mapping.dmp

Download
memory/1360-60-0x0000000000000000-mapping.dmp

Download
memory/1376-88-0x0000000000000000-mapping.dmp

Download
memory/1488-115-0x0000000000000000-mapping.dmp

Download
memory/1520-78-0x0000000000000000-mapping.dmp

Download
memory/1532-100-0x0000000000000000-mapping.dmp

Download
memory/1580-108-0x0000000000000000-mapping.dmp

Download
memory/1596-98-0x0000000000000000-mapping.dmp

Download
memory/1600-109-0x0000000000000000-mapping.dmp

Download
memory/1612-81-0x0000000000000000-mapping.dmp

Download
memory/1616-105-0x0000000000000000-mapping.dmp

Download
memory/1640-110-0x0000000000000000-mapping.dmp

Download
memory/1652-92-0x0000000000000000-mapping.dmp

Download
memory/1672-73-0x0000000000000000-mapping.dmp

Download
memory/1684-82-0x0000000000000000-mapping.dmp

Download
memory/1700-86-0x0000000000000000-mapping.dmp

Download
memory/1700-58-0x0000000000000000-mapping.dmp

Download
memory/1716-106-0x0000000000000000-mapping.dmp

Download
memory/1740-107-0x0000000000000000-mapping.dmp

Download
memory/1748-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1784-83-0x0000000000000000-mapping.dmp

Download
memory/1816-99-0x0000000000000000-mapping.dmp

Download
memory/1840-76-0x0000000000000000-mapping.dmp

Download
memory/1860-121-0x0000000000000000-mapping.dmp

Download
memory/1896-103-0x0000000000000000-mapping.dmp

Download
memory/1908-66-0x0000000000000000-mapping.dmp

Download
memory/1908-96-0x0000000000000000-mapping.dmp

Download
memory/1916-62-0x0000000000000000-mapping.dmp

Download
memory/1916-91-0x0000000000000000-mapping.dmp

Download
memory/1928-101-0x0000000000000000-mapping.dmp

Download
memory/1932-94-0x0000000000000000-mapping.dmp

Download
memory/1940-124-0x0000000000000000-mapping.dmp

Download
memory/1960-102-0x0000000000000000-mapping.dmp

Download
memory/1988-123-0x0000000000000000-mapping.dmp

Download
memory/1992-87-0x0000000000000000-mapping.dmp

Download
memory/1996-75-0x0000000000000000-mapping.dmp

Download
memory/2004-111-0x0000000000000000-mapping.dmp

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing