Analysis
-
max time kernel
11s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 19:13
General
-
Target
a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe
-
Size
1.3MB
-
MD5
ce91f8d31da74fe243e6404a8866b2c1
-
SHA1
3929bb670d830dc1b990a338483d9fb389e63308
-
SHA256
a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291
-
SHA512
d0525dfcd869d2dc12045cafb31872c8b9c585ed85de002eb5027f28a7e59150bfd408134fcf947b0858b819c64148b760ca5efee4f61580ac7ef493a224391b
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Possible privilege escalation attempt 6 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 6 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe"C:\Users\Admin\AppData\Local\Temp\a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetupComplete.cmd" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule all3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles settings inboundusernotification enable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles settings remotemanagement disable3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Autochk\Proxy"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Application Experience\StartupAppTask"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /change /disable /tn "\Microsoft\Windows\Maintenance\WinSAT"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Alerter3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Browser3⤵
-
C:\Windows\SysWOW64\sc.exesc stop bthserv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop cisvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop ClipSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop CscService3⤵
-
C:\Windows\SysWOW64\sc.exesc stop cscsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop DiagTrack3⤵
-
C:\Windows\SysWOW64\sc.exesc stop ERSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop helpsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop HbHost3⤵
-
C:\Windows\SysWOW64\sc.exesc stop HidServ3⤵
-
C:\Windows\SysWOW64\sc.exesc stop HvHost3⤵
-
C:\Windows\SysWOW64\sc.exesc stop LanmanServer3⤵
-
C:\Windows\SysWOW64\sc.exesc stop lfsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop LmHosts3⤵
-
C:\Windows\SysWOW64\sc.exesc stop MapsBroker3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Messenger3⤵
-
C:\Windows\SysWOW64\sc.exesc stop mnmsrvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop NetDDE3⤵
-
C:\Windows\SysWOW64\sc.exesc stop NetDDEdsdm3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Netlogon3⤵
-
C:\Windows\SysWOW64\sc.exesc stop PeerDistSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop PhoneSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop PolicyAgent3⤵
-
C:\Windows\SysWOW64\sc.exesc stop RDSessMgr3⤵
-
C:\Windows\SysWOW64\sc.exesc stop RemoteAccess3⤵
-
C:\Windows\SysWOW64\sc.exesc stop RemoteRegistry3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Retaildemo3⤵
-
C:\Windows\SysWOW64\sc.exesc stop RpcLocator3⤵
-
C:\Windows\SysWOW64\sc.exesc stop RSVP3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SCardDrv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SCardSvr3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SEMgrsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SensorService3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SensrSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Smsrouter3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Snmptrap3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SSDPSRV3⤵
-
C:\Windows\SysWOW64\sc.exesc stop SysmonLog3⤵
-
C:\Windows\SysWOW64\sc.exesc stop TlntSvr3⤵
-
C:\Windows\SysWOW64\sc.exesc stop uploadmgr3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Upnphost3⤵
-
C:\Windows\SysWOW64\sc.exesc stop UPS3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmicguestinterface3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmicheartbeat3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmickvpexchange3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmicrdv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmicshutdown3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmictimesync3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmicvmsession3⤵
-
C:\Windows\SysWOW64\sc.exesc stop vmicvss3⤵
-
C:\Windows\SysWOW64\sc.exesc stop W32Time3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WebClient3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Wersvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop winrm3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WmdmPmSp3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WmiApSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WMPNetworkSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WZCSVC3⤵
-
C:\Windows\SysWOW64\sc.exesc config Alerter start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Browser start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config bthserv start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config cisvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config ClipSrv start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config CscService start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config cscsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config DiagTrack start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config ERSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config helpsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config HbHost start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config HidServ start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config HvHost start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config LanmanServer start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config lfsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config LmHosts start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config MapsBroker start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Messenger start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config mnmsrvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config NetDDE start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config NetDDEdsdm start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Netlogon start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config PeerDistSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config PhoneSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config RDSessMgr start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config RemoteAccess start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config RemoteRegistry start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Retaildemo start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config RpcLocator start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config RSVP start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SCardDrv start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SCardSvr start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SEMgrsvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SensorService start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SensrSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Smsrouter start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Snmptrap start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config SysmonLog start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config TlntSvr start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config uploadmgr start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Upnphost start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config UPS start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmicguestinterface start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmicheartbeat start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmickvpexchange start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmicrdv start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmicshutdown start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmictimesync start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmicvmsession start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config vmicvss start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config W32Time start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config WebClient start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config Wersvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config winrm start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config WmdmPmSp start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config WmiApSrv start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config WMPNetworkSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config WZCSVC start= disabled3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\logonui.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant:r *S-1-2-1:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\winlogon.exe /remove:g Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\logonui.exe /grant:r *S-1-2-1:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\logonui.exe /remove:g Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\ROUTE.EXEroute -f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetupComplete.cmdFilesize
7KB
MD5fcc89e58c5b046a8d2c87aca544c02b3
SHA1ebf1a16c838cd785225cfcc764292db099312f1f
SHA256437c669010702539e319e00c5bafad509ed5b449325ba8839856977d7a8d4a29
SHA51243d39db19456da49cc6d1db4cf41a5a177f0a1c82ea207606d7a587b228d8527bc858068b444a5c0761be507df16c473b9cfa5a2781755c145eb65d9af25e75e
-
memory/60-170-0x0000000000000000-mapping.dmp
-
memory/444-141-0x0000000000000000-mapping.dmp
-
memory/456-134-0x0000000000000000-mapping.dmp
-
memory/704-175-0x0000000000000000-mapping.dmp
-
memory/764-171-0x0000000000000000-mapping.dmp
-
memory/1096-151-0x0000000000000000-mapping.dmp
-
memory/1176-138-0x0000000000000000-mapping.dmp
-
memory/1292-148-0x0000000000000000-mapping.dmp
-
memory/1364-177-0x0000000000000000-mapping.dmp
-
memory/1392-169-0x0000000000000000-mapping.dmp
-
memory/1440-150-0x0000000000000000-mapping.dmp
-
memory/1484-149-0x0000000000000000-mapping.dmp
-
memory/1500-166-0x0000000000000000-mapping.dmp
-
memory/1520-187-0x0000000000000000-mapping.dmp
-
memory/1564-153-0x0000000000000000-mapping.dmp
-
memory/1664-152-0x0000000000000000-mapping.dmp
-
memory/1792-154-0x0000000000000000-mapping.dmp
-
memory/1812-130-0x0000000000000000-mapping.dmp
-
memory/1980-159-0x0000000000000000-mapping.dmp
-
memory/2252-190-0x0000000000000000-mapping.dmp
-
memory/2372-178-0x0000000000000000-mapping.dmp
-
memory/2380-181-0x0000000000000000-mapping.dmp
-
memory/2556-142-0x0000000000000000-mapping.dmp
-
memory/2872-147-0x0000000000000000-mapping.dmp
-
memory/2948-165-0x0000000000000000-mapping.dmp
-
memory/3016-155-0x0000000000000000-mapping.dmp
-
memory/3148-161-0x0000000000000000-mapping.dmp
-
memory/3208-174-0x0000000000000000-mapping.dmp
-
memory/3352-186-0x0000000000000000-mapping.dmp
-
memory/3368-176-0x0000000000000000-mapping.dmp
-
memory/3452-145-0x0000000000000000-mapping.dmp
-
memory/3612-168-0x0000000000000000-mapping.dmp
-
memory/3660-164-0x0000000000000000-mapping.dmp
-
memory/3700-189-0x0000000000000000-mapping.dmp
-
memory/3880-132-0x0000000000000000-mapping.dmp
-
memory/3904-137-0x0000000000000000-mapping.dmp
-
memory/3940-193-0x0000000000000000-mapping.dmp
-
memory/3960-183-0x0000000000000000-mapping.dmp
-
memory/3980-179-0x0000000000000000-mapping.dmp
-
memory/3984-133-0x0000000000000000-mapping.dmp
-
memory/4076-184-0x0000000000000000-mapping.dmp
-
memory/4140-192-0x0000000000000000-mapping.dmp
-
memory/4144-146-0x0000000000000000-mapping.dmp
-
memory/4196-160-0x0000000000000000-mapping.dmp
-
memory/4224-158-0x0000000000000000-mapping.dmp
-
memory/4300-191-0x0000000000000000-mapping.dmp
-
memory/4320-172-0x0000000000000000-mapping.dmp
-
memory/4444-140-0x0000000000000000-mapping.dmp
-
memory/4468-173-0x0000000000000000-mapping.dmp
-
memory/4548-162-0x0000000000000000-mapping.dmp
-
memory/4560-156-0x0000000000000000-mapping.dmp
-
memory/4568-157-0x0000000000000000-mapping.dmp
-
memory/4612-139-0x0000000000000000-mapping.dmp
-
memory/4624-135-0x0000000000000000-mapping.dmp
-
memory/4728-180-0x0000000000000000-mapping.dmp
-
memory/4800-188-0x0000000000000000-mapping.dmp
-
memory/4984-136-0x0000000000000000-mapping.dmp
-
memory/4988-194-0x0000000000000000-mapping.dmp
-
memory/5016-182-0x0000000000000000-mapping.dmp
-
memory/5020-167-0x0000000000000000-mapping.dmp
-
memory/5024-143-0x0000000000000000-mapping.dmp
-
memory/5060-185-0x0000000000000000-mapping.dmp
-
memory/5088-163-0x0000000000000000-mapping.dmp
-
memory/5112-144-0x0000000000000000-mapping.dmp