Analysis
-
max time kernel
148s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
Resource
win10v2004-20220414-en
General
-
Target
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
-
Size
5.4MB
-
MD5
a755f76611af191caac97da04633b012
-
SHA1
ee2fba5a45e09e560c67f5107f76cf6e9a36ab53
-
SHA256
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
-
SHA512
b53fee6fb2b1013989e963b67f11924b8498e198b779fcfb49dc2154ca1a61c89f5abb32b91ed1052052a9c40f7ee1c2c58abf6ee1877b712d7b5899f2d97840
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
CPUInfo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CPUInfo.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
CPUInfo.exepid process 1628 CPUInfo.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe\debugger = "taskkill.exe" reg.exe -
Sets file to hidden 1 TTPs 13 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1744 attrib.exe 1096 attrib.exe 1000 attrib.exe 792 attrib.exe 544 attrib.exe 1116 attrib.exe 1116 attrib.exe 2044 attrib.exe 1204 attrib.exe 300 attrib.exe 588 attrib.exe 1404 attrib.exe 576 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1108-57-0x0000000000400000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/1108-68-0x0000000000400000-0x0000000000A2E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1512 WScript.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exetakeown.exetakeown.exepid process 560 takeown.exe 1708 takeown.exe 1684 takeown.exe -
Drops file in System32 directory 4 IoCs
Processes:
attrib.exeCPUInfo.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WUDHostServices.exe attrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat CPUInfo.exe File opened for modification C:\Windows\SysWOW64\ftp.exe attrib.exe File opened for modification C:\Windows\SysWOW64\ftp.exe attrib.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
CPUInfo.exepid process 1628 CPUInfo.exe -
Drops file in Program Files directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\program files (x86)\stormii attrib.exe File opened for modification C:\Progra~1\dll attrib.exe -
Drops file in Windows directory 64 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\windows\IIS\x86.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\etebCore-2.x86.dll CPUInfo.exe File created C:\windows\IIS\pcreposix-0.dll CPUInfo.exe File created C:\windows\IIS\trch.dll CPUInfo.exe File created C:\windows\IIS\xdvl-0.dll CPUInfo.exe File created C:\windows\IIS\2.txt CPUInfo.exe File created C:\windows\IIS\eteb-2.dll CPUInfo.exe File created C:\windows\IIS\iconv.dll CPUInfo.exe File created C:\windows\IIS\libiconv-2.dll CPUInfo.exe File created C:\windows\IIS\pcrecpp-0.dll CPUInfo.exe File created C:\windows\IIS\trfo-2.dll CPUInfo.exe File created C:\windows\IIS\exma.dll CPUInfo.exe File created C:\windows\IIS\1.txt CPUInfo.exe File opened for modification C:\windows\IIS\x64.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created \??\c:\windows\demc.bat 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\Esteemaudit-2.1.0.fb CPUInfo.exe File created C:\windows\IIS\cnli-0.dll CPUInfo.exe File created C:\windows\IIS\coli-0.dll CPUInfo.exe File created C:\windows\IIS\Eternalchampion-2.0.0.fb CPUInfo.exe File created C:\windows\IIS\Esteemaudittouch-2.1.0.exe CPUInfo.exe File created C:\windows\IIS\etchCore-0.x86.dll CPUInfo.exe File created C:\windows\IIS\zlib1.dll CPUInfo.exe File created \??\c:\windows\demo.bat 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\s.exe CPUInfo.exe File created C:\windows\IIS\Doublepulsar-1.3.1.xml CPUInfo.exe File created C:\windows\IIS\Esteemaudittouch-2.1.0.xml CPUInfo.exe File created C:\windows\IIS\tibe.dll CPUInfo.exe File created C:\windows\IIS\crli-0.dll CPUInfo.exe File created C:\windows\IIS\riar.dll CPUInfo.exe File created C:\windows\IIS\trch-0.dll CPUInfo.exe File created C:\windows\IIS\x64.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\free.bat 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\x86.dll CPUInfo.exe File created C:\windows\IIS\adfw.dll CPUInfo.exe File created C:\windows\IIS\adfw-2.dll CPUInfo.exe File created C:\windows\IIS\tucl.dll CPUInfo.exe File created C:\windows\IIS\Doublepulsar-1.3.1.exe CPUInfo.exe File created C:\windows\IIS\Eternalblue-2.2.0.exe CPUInfo.exe File created C:\windows\IIS\exma-1.dll CPUInfo.exe File created C:\windows\IIS\cnli-1.dll CPUInfo.exe File created C:\windows\IIS\etebCore-2.x64.dll CPUInfo.exe File created C:\windows\IIS\pcre-0.dll CPUInfo.exe File created C:\windows\IIS\etch-0.dll CPUInfo.exe File created C:\windows\IIS\tibe-2.dll CPUInfo.exe File created C:\windows\IIS\trch-1.dll CPUInfo.exe File created C:\windows\IIS\trfo.dll CPUInfo.exe File created C:\windows\IIS\zibe.dll CPUInfo.exe File created C:\windows\IIS\pcla-0.dll CPUInfo.exe File created C:\windows\IIS\trfo-0.dll CPUInfo.exe File created C:\windows\IIS\dmgd-1.dll CPUInfo.exe File created C:\windows\IIS\riar-2.dll CPUInfo.exe File created C:\windows\IIS\tucl-1.dll CPUInfo.exe File created C:\windows\IIS\CPUInfo.exe 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File opened for modification C:\Windows\svchost.exe attrib.exe File created C:\windows\IIS\Esteemaudittouch-2.1.0.fb CPUInfo.exe File created C:\windows\IIS\etchCore-0.x64.dll CPUInfo.exe File created C:\windows\IIS\posh.dll CPUInfo.exe File created C:\windows\IIS\Esteemaudit-2.1.0.exe CPUInfo.exe File created C:\windows\IIS\dmgd-4.dll CPUInfo.exe File created C:\windows\IIS\ucl.dll CPUInfo.exe File opened for modification C:\Windows\srvany.exe attrib.exe File created C:\windows\IIS\Eternalblue-2.2.0.xml CPUInfo.exe File created C:\windows\IIS\tibe-1.dll CPUInfo.exe File created C:\windows\IIS\libxml2.dll CPUInfo.exe -
Launches sc.exe 25 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1636 sc.exe 1728 sc.exe 1908 sc.exe 1160 sc.exe 876 sc.exe 304 sc.exe 1720 sc.exe 1960 sc.exe 840 sc.exe 568 sc.exe 480 sc.exe 1176 sc.exe 1912 sc.exe 1432 sc.exe 2008 sc.exe 1956 sc.exe 1308 sc.exe 608 sc.exe 1036 sc.exe 2028 sc.exe 1800 sc.exe 1252 sc.exe 1924 sc.exe 1176 sc.exe 1812 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1996 ipconfig.exe -
Kills process with WMI 12 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 852 WMIC.exe 780 WMIC.exe 964 WMIC.exe 1696 WMIC.exe 1708 WMIC.exe 1432 WMIC.exe 1068 WMIC.exe 1708 WMIC.exe 2012 WMIC.exe 708 WMIC.exe 1612 WMIC.exe 1684 WMIC.exe -
Kills process with taskkill 42 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1608 taskkill.exe 1068 taskkill.exe 764 taskkill.exe 876 taskkill.exe 1876 taskkill.exe 1488 taskkill.exe 1968 taskkill.exe 792 taskkill.exe 608 taskkill.exe 1312 taskkill.exe 1780 taskkill.exe 1908 taskkill.exe 468 taskkill.exe 1624 taskkill.exe 1420 taskkill.exe 1924 taskkill.exe 1996 taskkill.exe 1824 taskkill.exe 304 taskkill.exe 1632 taskkill.exe 1728 taskkill.exe 1068 taskkill.exe 1068 taskkill.exe 1008 taskkill.exe 1612 taskkill.exe 912 taskkill.exe 1800 taskkill.exe 1824 taskkill.exe 1164 taskkill.exe 908 taskkill.exe 1112 taskkill.exe 844 taskkill.exe 468 taskkill.exe 1776 taskkill.exe 1900 taskkill.exe 1972 taskkill.exe 2008 taskkill.exe 428 taskkill.exe 1116 taskkill.exe 1420 taskkill.exe 688 taskkill.exe 1504 taskkill.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
CPUInfo.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 CPUInfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" CPUInfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix CPUInfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" CPUInfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" CPUInfo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 CPUInfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ CPUInfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" CPUInfo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings CPUInfo.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
CPUInfo.exepid process 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe 1628 CPUInfo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 852 WMIC.exe Token: SeSecurityPrivilege 852 WMIC.exe Token: SeTakeOwnershipPrivilege 852 WMIC.exe Token: SeLoadDriverPrivilege 852 WMIC.exe Token: SeSystemProfilePrivilege 852 WMIC.exe Token: SeSystemtimePrivilege 852 WMIC.exe Token: SeProfSingleProcessPrivilege 852 WMIC.exe Token: SeIncBasePriorityPrivilege 852 WMIC.exe Token: SeCreatePagefilePrivilege 852 WMIC.exe Token: SeBackupPrivilege 852 WMIC.exe Token: SeRestorePrivilege 852 WMIC.exe Token: SeShutdownPrivilege 852 WMIC.exe Token: SeDebugPrivilege 852 WMIC.exe Token: SeSystemEnvironmentPrivilege 852 WMIC.exe Token: SeRemoteShutdownPrivilege 852 WMIC.exe Token: SeUndockPrivilege 852 WMIC.exe Token: SeManageVolumePrivilege 852 WMIC.exe Token: 33 852 WMIC.exe Token: 34 852 WMIC.exe Token: 35 852 WMIC.exe Token: SeIncreaseQuotaPrivilege 852 WMIC.exe Token: SeSecurityPrivilege 852 WMIC.exe Token: SeTakeOwnershipPrivilege 852 WMIC.exe Token: SeLoadDriverPrivilege 852 WMIC.exe Token: SeSystemProfilePrivilege 852 WMIC.exe Token: SeSystemtimePrivilege 852 WMIC.exe Token: SeProfSingleProcessPrivilege 852 WMIC.exe Token: SeIncBasePriorityPrivilege 852 WMIC.exe Token: SeCreatePagefilePrivilege 852 WMIC.exe Token: SeBackupPrivilege 852 WMIC.exe Token: SeRestorePrivilege 852 WMIC.exe Token: SeShutdownPrivilege 852 WMIC.exe Token: SeDebugPrivilege 852 WMIC.exe Token: SeSystemEnvironmentPrivilege 852 WMIC.exe Token: SeRemoteShutdownPrivilege 852 WMIC.exe Token: SeUndockPrivilege 852 WMIC.exe Token: SeManageVolumePrivilege 852 WMIC.exe Token: 33 852 WMIC.exe Token: 34 852 WMIC.exe Token: 35 852 WMIC.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe Token: SeSystemProfilePrivilege 1068 WMIC.exe Token: SeSystemtimePrivilege 1068 WMIC.exe Token: SeProfSingleProcessPrivilege 1068 WMIC.exe Token: SeIncBasePriorityPrivilege 1068 WMIC.exe Token: SeCreatePagefilePrivilege 1068 WMIC.exe Token: SeBackupPrivilege 1068 WMIC.exe Token: SeRestorePrivilege 1068 WMIC.exe Token: SeShutdownPrivilege 1068 WMIC.exe Token: SeDebugPrivilege 1068 WMIC.exe Token: SeSystemEnvironmentPrivilege 1068 WMIC.exe Token: SeRemoteShutdownPrivilege 1068 WMIC.exe Token: SeUndockPrivilege 1068 WMIC.exe Token: SeManageVolumePrivilege 1068 WMIC.exe Token: 33 1068 WMIC.exe Token: 34 1068 WMIC.exe Token: 35 1068 WMIC.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exepid process 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe 1628 CPUInfo.exe 1628 CPUInfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.execmd.execmd.exedescription pid process target process PID 1108 wrote to memory of 1080 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 1080 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 1080 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 1080 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 956 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 956 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 956 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1108 wrote to memory of 956 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 1080 wrote to memory of 852 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 852 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 852 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 852 1080 cmd.exe WMIC.exe PID 956 wrote to memory of 1176 956 cmd.exe sc.exe PID 956 wrote to memory of 1176 956 cmd.exe sc.exe PID 956 wrote to memory of 1176 956 cmd.exe sc.exe PID 956 wrote to memory of 1176 956 cmd.exe sc.exe PID 956 wrote to memory of 2028 956 cmd.exe sc.exe PID 956 wrote to memory of 2028 956 cmd.exe sc.exe PID 956 wrote to memory of 2028 956 cmd.exe sc.exe PID 956 wrote to memory of 2028 956 cmd.exe sc.exe PID 956 wrote to memory of 708 956 cmd.exe schtasks.exe PID 956 wrote to memory of 708 956 cmd.exe schtasks.exe PID 956 wrote to memory of 708 956 cmd.exe schtasks.exe PID 956 wrote to memory of 708 956 cmd.exe schtasks.exe PID 956 wrote to memory of 520 956 cmd.exe schtasks.exe PID 956 wrote to memory of 520 956 cmd.exe schtasks.exe PID 956 wrote to memory of 520 956 cmd.exe schtasks.exe PID 956 wrote to memory of 520 956 cmd.exe schtasks.exe PID 956 wrote to memory of 1160 956 cmd.exe schtasks.exe PID 956 wrote to memory of 1160 956 cmd.exe schtasks.exe PID 956 wrote to memory of 1160 956 cmd.exe schtasks.exe PID 956 wrote to memory of 1160 956 cmd.exe schtasks.exe PID 1108 wrote to memory of 1512 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 1108 wrote to memory of 1512 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 1108 wrote to memory of 1512 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 1108 wrote to memory of 1512 1108 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 1080 wrote to memory of 1412 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1412 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1412 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1412 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1624 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1624 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1624 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1624 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1116 1080 cmd.exe attrib.exe PID 1080 wrote to memory of 1116 1080 cmd.exe attrib.exe PID 1080 wrote to memory of 1116 1080 cmd.exe attrib.exe PID 1080 wrote to memory of 1116 1080 cmd.exe attrib.exe PID 1080 wrote to memory of 1884 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1884 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1884 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1884 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1072 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1072 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1072 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1072 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1068 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 1068 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 1068 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 1068 1080 cmd.exe WMIC.exe PID 1080 wrote to memory of 1912 1080 cmd.exe sc.exe PID 1080 wrote to memory of 1912 1080 cmd.exe sc.exe PID 1080 wrote to memory of 1912 1080 cmd.exe sc.exe PID 1080 wrote to memory of 1912 1080 cmd.exe sc.exe -
Views/modifies file attributes 1 TTPs 15 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 300 attrib.exe 792 attrib.exe 2044 attrib.exe 764 attrib.exe 1404 attrib.exe 1116 attrib.exe 1096 attrib.exe 840 attrib.exe 588 attrib.exe 1000 attrib.exe 1204 attrib.exe 576 attrib.exe 544 attrib.exe 1116 attrib.exe 1744 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe"C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\demc.bat2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\stormii\server.exe" /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a "C:\program files (x86)\stormii"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\stormii" /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete SuperProServerST3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im ftp.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\ftp.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ftp.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\ftp.exe /g users:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /g users:f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\SysWOW64\ftp.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\System32\ftp.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\ftp.exe /d everyone3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\Drivers\etc\hosts /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\Drivers\etc\hosts /g users:f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
C:\Windows\SysWOW64\attrib.exeattrib -h -r -s -a C:\ProgramData3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im CPUInfo.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im up.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im block.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im cpu.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im svshostr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\sc.exesc stop xtfya3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete xtfya3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "Network Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Network Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "HomeGroup Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "HomeGroup Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop xtfy3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete xtfy3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Natioanl3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Natioanl3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Natihial3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Natihial3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "Interactive Services Detection Report"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Interactive Services Detection Report"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "mssecsvc2.0"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "mssecsvc2.0"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "mssecsvc2.1"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "mssecsvc2.1"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMais3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMais3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMaims3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMaims3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\ProgramData\dll3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\dll /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Progra~1\dll3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Progra~1\dll /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r c:\wax.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\wax.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Natihial\svshostr.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\expl0rer.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im tasksche.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\tasksche.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\tasksche.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im srvany.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\srvany.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\srvany.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im WUDHostServices.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\System32\WUDHostServices.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WUDHostServices.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wbmoney.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im GGtbviewer.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Netohad.pif3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Qrhkveb.com3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Tnntknl.com3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Snwhtdw.bat3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhsot.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Tasksvr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im serices.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im seever.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im mssecsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im svchsot.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsacs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im nsa.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im csrs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WerFault.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WScript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im NV-NO.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im NV.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Eternalblue-2.2.0.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Eternalchampion-2.0.0.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Doublepulsar-1.3.1.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\system\\explorer.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\Fonts\\explorer.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im ystmss.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im wuauc1t.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\demo.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start Schedule3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn RavTask /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn GooglePinginConfigs /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 240 /tn "RavTask" /tr "C:\windows\IIS\free.bat" /ru "system" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "GooglePinginConfigs" /tr "C:\windows\IIS\CPUInfo.exe" /sc onstart /ru "system" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\RavTask.job3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\GooglePinginConfigs.job3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn "RavTask"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
-
C:\Windows\system32\taskeng.exetaskeng.exe {F8803003-212D-422F-861F-EFCF9BD9F0B0} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\windows\IIS\free.bat"2⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im NV-NO.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im NV.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Eternalblue-2.2.0.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Eternalchampion-2.0.0.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Doublepulsar-1.3.1.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im mysqld.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im CPUInfo.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im jvav.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GooglePinginConfigs"3⤵
-
C:\windows\IIS\CPUInfo.exeC:\windows\IIS\CPUInfo.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Hidden Files and Directories
2Modify Existing Service
1Scheduled Task
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
1Hidden Files and Directories
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD5ef1c7052536cd8a4ed2912e520c2a730
SHA1372c30cd30ec0ba499ed497453295bb84e89b86b
SHA256060183c7d23452e3f89d914049218eae7e84ce725e10d315638dc644a23873fc
SHA5127bdc914f8e002fc6141cdab3b4619a54735555ccb8fd508a57d341bfe2967f159b464b35954a120fdd38b6e9422663511964367fbfea07994f2653d9b9f85fae
-
C:\Windows\IIS\CPUInfo.exeFilesize
5.3MB
MD51065f9b7c189f4a22d7f11626f16b976
SHA1562ea85b1d91f08448b2885d8346231f311d656f
SHA2563889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0
SHA512bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41
-
C:\windows\IIS\CPUInfo.exeFilesize
5.3MB
MD51065f9b7c189f4a22d7f11626f16b976
SHA1562ea85b1d91f08448b2885d8346231f311d656f
SHA2563889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0
SHA512bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41
-
C:\windows\IIS\free.batFilesize
379B
MD5857fc3145d5aee4399bf6c9fd9dc8245
SHA118c27ecbebc5a3095e95690f2399c7b5e92e40fd
SHA2562401f4b6f34644668ee50911fb7e9d51c82b65776eea940f0e8e16ff9ec9d68e
SHA512289da4490f7623cca94adb6f19006dfa5628a1080ac963199e05fdca65a1f2d7db888f5aa63ee264c5c6c781cb802e8a8d07cec14c8ab4cf7be2ad07516caf35
-
\??\c:\windows\demc.batFilesize
7KB
MD5a17bd95441d3fa37660e87842dc896aa
SHA183951f95e5739593ac0a2d71b56075509298e542
SHA2563457579ecd591d2905e833be4aa7215e0302623447c1072bb55586c4a0284203
SHA512bd7cb5dbc9f11ace523bc89486b8d097f6c092a9f09b1dc847d7b4854db7f42a292aef20bd4d3d89a743f67607ebb0156327644def83fd5ea30c239297e53b1f
-
\??\c:\windows\demo.batFilesize
511B
MD511275993a1a8f44371ab48820422b273
SHA101a96b635ffea21d3d7ac6c4694ce1da25bcbb33
SHA25659f0d74e831cbd6b08b14e7c4efbe383b0ea8b7463fda81c35acee799c983e6e
SHA512db1df17de51e48d18cfc145983b1d9851e94f9fc908e99d5534516b81677e1e8c353d438422b45fd9702b85e0d9103297a86313b6bdc654703f01f23f4aab74c
-
memory/300-102-0x0000000000000000-mapping.dmp
-
memory/304-109-0x0000000000000000-mapping.dmp
-
memory/428-77-0x0000000000000000-mapping.dmp
-
memory/480-125-0x0000000000000000-mapping.dmp
-
memory/520-64-0x0000000000000000-mapping.dmp
-
memory/520-89-0x0000000000000000-mapping.dmp
-
memory/560-79-0x0000000000000000-mapping.dmp
-
memory/568-124-0x0000000000000000-mapping.dmp
-
memory/608-123-0x0000000000000000-mapping.dmp
-
memory/688-78-0x0000000000000000-mapping.dmp
-
memory/708-63-0x0000000000000000-mapping.dmp
-
memory/764-98-0x0000000000000000-mapping.dmp
-
memory/840-122-0x0000000000000000-mapping.dmp
-
memory/840-94-0x0000000000000000-mapping.dmp
-
memory/852-60-0x0000000000000000-mapping.dmp
-
memory/876-108-0x0000000000000000-mapping.dmp
-
memory/908-83-0x0000000000000000-mapping.dmp
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1068-75-0x0000000000000000-mapping.dmp
-
memory/1068-106-0x0000000000000000-mapping.dmp
-
memory/1072-74-0x0000000000000000-mapping.dmp
-
memory/1076-84-0x0000000000000000-mapping.dmp
-
memory/1080-55-0x0000000000000000-mapping.dmp
-
memory/1096-86-0x0000000000000000-mapping.dmp
-
memory/1108-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1108-57-0x0000000000400000-0x0000000000A2E000-memory.dmpFilesize
6.2MB
-
memory/1108-68-0x0000000000400000-0x0000000000A2E000-memory.dmpFilesize
6.2MB
-
memory/1116-103-0x0000000000000000-mapping.dmp
-
memory/1116-72-0x0000000000000000-mapping.dmp
-
memory/1160-65-0x0000000000000000-mapping.dmp
-
memory/1160-107-0x0000000000000000-mapping.dmp
-
memory/1176-114-0x0000000000000000-mapping.dmp
-
memory/1176-61-0x0000000000000000-mapping.dmp
-
memory/1204-101-0x0000000000000000-mapping.dmp
-
memory/1252-113-0x0000000000000000-mapping.dmp
-
memory/1308-120-0x0000000000000000-mapping.dmp
-
memory/1376-87-0x0000000000000000-mapping.dmp
-
memory/1412-69-0x0000000000000000-mapping.dmp
-
memory/1420-105-0x0000000000000000-mapping.dmp
-
memory/1432-112-0x0000000000000000-mapping.dmp
-
memory/1464-93-0x0000000000000000-mapping.dmp
-
memory/1512-66-0x0000000000000000-mapping.dmp
-
memory/1608-104-0x0000000000000000-mapping.dmp
-
memory/1612-90-0x0000000000000000-mapping.dmp
-
memory/1624-100-0x0000000000000000-mapping.dmp
-
memory/1624-71-0x0000000000000000-mapping.dmp
-
memory/1628-129-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/1628-135-0x00000000777B0000-0x0000000077930000-memory.dmpFilesize
1.5MB
-
memory/1628-133-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/1628-132-0x00000000777B0000-0x0000000077930000-memory.dmpFilesize
1.5MB
-
memory/1628-134-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/1628-131-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/1636-118-0x0000000000000000-mapping.dmp
-
memory/1684-91-0x0000000000000000-mapping.dmp
-
memory/1708-80-0x0000000000000000-mapping.dmp
-
memory/1720-119-0x0000000000000000-mapping.dmp
-
memory/1744-85-0x0000000000000000-mapping.dmp
-
memory/1800-81-0x0000000000000000-mapping.dmp
-
memory/1800-111-0x0000000000000000-mapping.dmp
-
memory/1812-117-0x0000000000000000-mapping.dmp
-
memory/1812-88-0x0000000000000000-mapping.dmp
-
memory/1824-99-0x0000000000000000-mapping.dmp
-
memory/1832-82-0x0000000000000000-mapping.dmp
-
memory/1884-73-0x0000000000000000-mapping.dmp
-
memory/1912-76-0x0000000000000000-mapping.dmp
-
memory/1924-110-0x0000000000000000-mapping.dmp
-
memory/1956-116-0x0000000000000000-mapping.dmp
-
memory/1960-121-0x0000000000000000-mapping.dmp
-
memory/1996-96-0x0000000000000000-mapping.dmp
-
memory/2008-115-0x0000000000000000-mapping.dmp
-
memory/2024-92-0x0000000000000000-mapping.dmp
-
memory/2028-62-0x0000000000000000-mapping.dmp
-
memory/2044-95-0x0000000000000000-mapping.dmp