wannacry | 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6

General

Target

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
Size

5.4MB
MD5

a755f76611af191caac97da04633b012
SHA1

ee2fba5a45e09e560c67f5107f76cf6e9a36ab53
SHA256

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
SHA512

b53fee6fb2b1013989e963b67f11924b8498e198b779fcfb49dc2154ca1a61c89f5abb32b91ed1052052a9c40f7ee1c2c58abf6ee1877b712d7b5899f2d97840

Score

10^/10

wannacry discovery evasion persistence ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

CPUInfo.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CPUInfo.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe
Executes dropped EXE 1 IoCs

Processes:

CPUInfo.exe

pid process

1628 CPUInfo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CPUInfo.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe\debugger = "taskkill.exe"	reg.exe

Sets file to hidden 1 TTPs 13 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1744	attrib.exe
1096	attrib.exe
1000	attrib.exe
792	attrib.exe
544	attrib.exe
1116	attrib.exe
1116	attrib.exe
2044	attrib.exe
1204	attrib.exe
300	attrib.exe
588	attrib.exe
1404	attrib.exe
576	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1108-57-0x0000000000400000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/1108-68-0x0000000000400000-0x0000000000A2E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1512 WScript.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exe

pid process

560 takeown.exe
1708 takeown.exe
1684 takeown.exe

pid	process
1512	WScript.exe

pid	process
560	takeown.exe
1708	takeown.exe
1684	takeown.exe

Drops file in System32 directory 4 IoCs

Processes:

attrib.exeCPUInfo.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WUDHostServices.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	CPUInfo.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	attrib.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CPUInfo.exe

pid process

1628 CPUInfo.exe
Drops file in Program Files directory 2 IoCs

Processes:

attrib.exeattrib.exe

description ioc process

File opened for modification C:\program files (x86)\stormii attrib.exe
File opened for modification C:\Progra~1\dll attrib.exe

description	ioc	process
File opened for modification	C:\program files (x86)\stormii	attrib.exe
File opened for modification	C:\Progra~1\dll	attrib.exe

Drops file in Windows directory 64 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\windows\IIS\x86.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\etebCore-2.x86.dll	CPUInfo.exe
File created	C:\windows\IIS\pcreposix-0.dll	CPUInfo.exe
File created	C:\windows\IIS\trch.dll	CPUInfo.exe
File created	C:\windows\IIS\xdvl-0.dll	CPUInfo.exe
File created	C:\windows\IIS\2.txt	CPUInfo.exe
File created	C:\windows\IIS\eteb-2.dll	CPUInfo.exe
File created	C:\windows\IIS\iconv.dll	CPUInfo.exe
File created	C:\windows\IIS\libiconv-2.dll	CPUInfo.exe
File created	C:\windows\IIS\pcrecpp-0.dll	CPUInfo.exe
File created	C:\windows\IIS\trfo-2.dll	CPUInfo.exe
File created	C:\windows\IIS\exma.dll	CPUInfo.exe
File created	C:\windows\IIS\1.txt	CPUInfo.exe
File opened for modification	C:\windows\IIS\x64.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	\??\c:\windows\demc.bat	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\Esteemaudit-2.1.0.fb	CPUInfo.exe
File created	C:\windows\IIS\cnli-0.dll	CPUInfo.exe
File created	C:\windows\IIS\coli-0.dll	CPUInfo.exe
File created	C:\windows\IIS\Eternalchampion-2.0.0.fb	CPUInfo.exe
File created	C:\windows\IIS\Esteemaudittouch-2.1.0.exe	CPUInfo.exe
File created	C:\windows\IIS\etchCore-0.x86.dll	CPUInfo.exe
File created	C:\windows\IIS\zlib1.dll	CPUInfo.exe
File created	\??\c:\windows\demo.bat	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\s.exe	CPUInfo.exe
File created	C:\windows\IIS\Doublepulsar-1.3.1.xml	CPUInfo.exe
File created	C:\windows\IIS\Esteemaudittouch-2.1.0.xml	CPUInfo.exe
File created	C:\windows\IIS\tibe.dll	CPUInfo.exe
File created	C:\windows\IIS\crli-0.dll	CPUInfo.exe
File created	C:\windows\IIS\riar.dll	CPUInfo.exe
File created	C:\windows\IIS\trch-0.dll	CPUInfo.exe
File created	C:\windows\IIS\x64.dll	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\free.bat	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File created	C:\windows\IIS\x86.dll	CPUInfo.exe
File created	C:\windows\IIS\adfw.dll	CPUInfo.exe
File created	C:\windows\IIS\adfw-2.dll	CPUInfo.exe
File created	C:\windows\IIS\tucl.dll	CPUInfo.exe
File created	C:\windows\IIS\Doublepulsar-1.3.1.exe	CPUInfo.exe
File created	C:\windows\IIS\Eternalblue-2.2.0.exe	CPUInfo.exe
File created	C:\windows\IIS\exma-1.dll	CPUInfo.exe
File created	C:\windows\IIS\cnli-1.dll	CPUInfo.exe
File created	C:\windows\IIS\etebCore-2.x64.dll	CPUInfo.exe
File created	C:\windows\IIS\pcre-0.dll	CPUInfo.exe
File created	C:\windows\IIS\etch-0.dll	CPUInfo.exe
File created	C:\windows\IIS\tibe-2.dll	CPUInfo.exe
File created	C:\windows\IIS\trch-1.dll	CPUInfo.exe
File created	C:\windows\IIS\trfo.dll	CPUInfo.exe
File created	C:\windows\IIS\zibe.dll	CPUInfo.exe
File created	C:\windows\IIS\pcla-0.dll	CPUInfo.exe
File created	C:\windows\IIS\trfo-0.dll	CPUInfo.exe
File created	C:\windows\IIS\dmgd-1.dll	CPUInfo.exe
File created	C:\windows\IIS\riar-2.dll	CPUInfo.exe
File created	C:\windows\IIS\tucl-1.dll	CPUInfo.exe
File created	C:\windows\IIS\CPUInfo.exe	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File created	C:\windows\IIS\Esteemaudittouch-2.1.0.fb	CPUInfo.exe
File created	C:\windows\IIS\etchCore-0.x64.dll	CPUInfo.exe
File created	C:\windows\IIS\posh.dll	CPUInfo.exe
File created	C:\windows\IIS\Esteemaudit-2.1.0.exe	CPUInfo.exe
File created	C:\windows\IIS\dmgd-4.dll	CPUInfo.exe
File created	C:\windows\IIS\ucl.dll	CPUInfo.exe
File opened for modification	C:\Windows\srvany.exe	attrib.exe
File created	C:\windows\IIS\Eternalblue-2.2.0.xml	CPUInfo.exe
File created	C:\windows\IIS\tibe-1.dll	CPUInfo.exe
File created	C:\windows\IIS\libxml2.dll	CPUInfo.exe

Launches sc.exe 25 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1636	sc.exe
1728	sc.exe
1908	sc.exe
1160	sc.exe
876	sc.exe
304	sc.exe
1720	sc.exe
1960	sc.exe
840	sc.exe
568	sc.exe
480	sc.exe
1176	sc.exe
1912	sc.exe
1432	sc.exe
2008	sc.exe
1956	sc.exe
1308	sc.exe
608	sc.exe
1036	sc.exe
2028	sc.exe
1800	sc.exe
1252	sc.exe
1924	sc.exe
1176	sc.exe
1812	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

688 schtasks.exe
1160 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1996 ipconfig.exe

pid	process
688	schtasks.exe
1160	schtasks.exe

pid	process
1996	ipconfig.exe

Kills process with WMI 12 IoCs

evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
852	WMIC.exe
780	WMIC.exe
964	WMIC.exe
1696	WMIC.exe
1708	WMIC.exe
1432	WMIC.exe
1068	WMIC.exe
1708	WMIC.exe
2012	WMIC.exe
708	WMIC.exe
1612	WMIC.exe
1684	WMIC.exe

Kills process with taskkill 42 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1608	taskkill.exe
1068	taskkill.exe
764	taskkill.exe
876	taskkill.exe
1876	taskkill.exe
1488	taskkill.exe
1968	taskkill.exe
792	taskkill.exe
608	taskkill.exe
1312	taskkill.exe
1780	taskkill.exe
1908	taskkill.exe
468	taskkill.exe
1624	taskkill.exe
1420	taskkill.exe
1924	taskkill.exe
1996	taskkill.exe
1824	taskkill.exe
304	taskkill.exe
1632	taskkill.exe
1728	taskkill.exe
1068	taskkill.exe
1068	taskkill.exe
1008	taskkill.exe
1612	taskkill.exe
912	taskkill.exe
1800	taskkill.exe
1824	taskkill.exe
1164	taskkill.exe
908	taskkill.exe
1112	taskkill.exe
844	taskkill.exe
468	taskkill.exe
1776	taskkill.exe
1900	taskkill.exe
1972	taskkill.exe
2008	taskkill.exe
428	taskkill.exe
1116	taskkill.exe
1420	taskkill.exe
688	taskkill.exe
1504	taskkill.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

CPUInfo.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CPUInfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	CPUInfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	CPUInfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	CPUInfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	CPUInfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	CPUInfo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CPUInfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	CPUInfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	CPUInfo.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CPUInfo.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1472 PING.EXE
1812 PING.EXE

pid	process
1472	PING.EXE
1812	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

CPUInfo.exe

pid	process
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe
1628	CPUInfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	852	WMIC.exe
Token: SeSecurityPrivilege	852	WMIC.exe
Token: SeTakeOwnershipPrivilege	852	WMIC.exe
Token: SeLoadDriverPrivilege	852	WMIC.exe
Token: SeSystemProfilePrivilege	852	WMIC.exe
Token: SeSystemtimePrivilege	852	WMIC.exe
Token: SeProfSingleProcessPrivilege	852	WMIC.exe
Token: SeIncBasePriorityPrivilege	852	WMIC.exe
Token: SeCreatePagefilePrivilege	852	WMIC.exe
Token: SeBackupPrivilege	852	WMIC.exe
Token: SeRestorePrivilege	852	WMIC.exe
Token: SeShutdownPrivilege	852	WMIC.exe
Token: SeDebugPrivilege	852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	852	WMIC.exe
Token: SeRemoteShutdownPrivilege	852	WMIC.exe
Token: SeUndockPrivilege	852	WMIC.exe
Token: SeManageVolumePrivilege	852	WMIC.exe
Token: 33	852	WMIC.exe
Token: 34	852	WMIC.exe
Token: 35	852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	852	WMIC.exe
Token: SeSecurityPrivilege	852	WMIC.exe
Token: SeTakeOwnershipPrivilege	852	WMIC.exe
Token: SeLoadDriverPrivilege	852	WMIC.exe
Token: SeSystemProfilePrivilege	852	WMIC.exe
Token: SeSystemtimePrivilege	852	WMIC.exe
Token: SeProfSingleProcessPrivilege	852	WMIC.exe
Token: SeIncBasePriorityPrivilege	852	WMIC.exe
Token: SeCreatePagefilePrivilege	852	WMIC.exe
Token: SeBackupPrivilege	852	WMIC.exe
Token: SeRestorePrivilege	852	WMIC.exe
Token: SeShutdownPrivilege	852	WMIC.exe
Token: SeDebugPrivilege	852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	852	WMIC.exe
Token: SeRemoteShutdownPrivilege	852	WMIC.exe
Token: SeUndockPrivilege	852	WMIC.exe
Token: SeManageVolumePrivilege	852	WMIC.exe
Token: 33	852	WMIC.exe
Token: 34	852	WMIC.exe
Token: 35	852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exe

pid	process
1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
1628	CPUInfo.exe
1628	CPUInfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.execmd.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 1080	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 1080	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 1080	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 1080	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 956	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 956	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 956	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1108 wrote to memory of 956	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	cmd.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	WMIC.exe
PID 956 wrote to memory of 1176	956	cmd.exe	sc.exe
PID 956 wrote to memory of 1176	956	cmd.exe	sc.exe
PID 956 wrote to memory of 1176	956	cmd.exe	sc.exe
PID 956 wrote to memory of 1176	956	cmd.exe	sc.exe
PID 956 wrote to memory of 2028	956	cmd.exe	sc.exe
PID 956 wrote to memory of 2028	956	cmd.exe	sc.exe
PID 956 wrote to memory of 2028	956	cmd.exe	sc.exe
PID 956 wrote to memory of 2028	956	cmd.exe	sc.exe
PID 956 wrote to memory of 708	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 708	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 708	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 708	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 520	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 520	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 520	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 520	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1160	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1160	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1160	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1160	956	cmd.exe	schtasks.exe
PID 1108 wrote to memory of 1512	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 1108 wrote to memory of 1512	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 1108 wrote to memory of 1512	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 1108 wrote to memory of 1512	1108	483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe	WScript.exe
PID 1080 wrote to memory of 1412	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1412	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1412	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1412	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1624	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1624	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1624	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1624	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1116	1080	cmd.exe	attrib.exe
PID 1080 wrote to memory of 1116	1080	cmd.exe	attrib.exe
PID 1080 wrote to memory of 1116	1080	cmd.exe	attrib.exe
PID 1080 wrote to memory of 1116	1080	cmd.exe	attrib.exe
PID 1080 wrote to memory of 1884	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1884	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1884	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1884	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1072	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1072	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1072	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1072	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1068	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 1068	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 1068	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 1068	1080	cmd.exe	WMIC.exe
PID 1080 wrote to memory of 1912	1080	cmd.exe	sc.exe
PID 1080 wrote to memory of 1912	1080	cmd.exe	sc.exe
PID 1080 wrote to memory of 1912	1080	cmd.exe	sc.exe
PID 1080 wrote to memory of 1912	1080	cmd.exe	sc.exe

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
300	attrib.exe
792	attrib.exe
2044	attrib.exe
764	attrib.exe
1404	attrib.exe
1116	attrib.exe
1096	attrib.exe
840	attrib.exe
588	attrib.exe
1000	attrib.exe
1204	attrib.exe
576	attrib.exe
544	attrib.exe
1116	attrib.exe
1744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
"C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\demc.bat
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1412

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii\server.exe" /d everyone
3⤵
PID:1624

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a "C:\program files (x86)\stormii"
3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii" /d everyone
3⤵
PID:1072

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\sc.exe
sc delete SuperProServerST
3⤵
- Launches sc.exe
PID:1912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ftp.exe
3⤵
- Kills process with taskkill
PID:428

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\ftp.exe /a
3⤵
- Modifies file permissions
PID:560

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\ftp.exe /a
3⤵
- Modifies file permissions
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1800

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\ftp.exe /g users:f
3⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:908

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /g users:f
3⤵
PID:1076

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\SysWOW64\ftp.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1744

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\System32\ftp.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1376

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /d everyone
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:520

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\ftp.exe /d everyone
3⤵
PID:1612

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\Drivers\etc\hosts /a
3⤵
- Modifies file permissions
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2024

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
3⤵
PID:1464

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
3⤵
- Views/modifies file attributes
PID:840

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2044

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1996

C:\Windows\SysWOW64\attrib.exe
attrib -h -r -s -a C:\ProgramData
3⤵
- Views/modifies file attributes
PID:764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im CPUInfo.exe
3⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im up.exe
3⤵
- Kills process with taskkill
PID:1624

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im block.exe
3⤵
- Kills process with taskkill
PID:1116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im cpu.exe
3⤵
- Kills process with taskkill
PID:1420

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im svshostr.exe
3⤵
- Kills process with taskkill
PID:1068

C:\Windows\SysWOW64\sc.exe
sc stop xtfya
3⤵
- Launches sc.exe
PID:1160

C:\Windows\SysWOW64\sc.exe
sc delete xtfya
3⤵
- Launches sc.exe
PID:876

C:\Windows\SysWOW64\sc.exe
sc stop "Network Support"
3⤵
- Launches sc.exe
PID:304

C:\Windows\SysWOW64\sc.exe
sc delete "Network Support"
3⤵
- Launches sc.exe
PID:1924

C:\Windows\SysWOW64\sc.exe
sc stop "HomeGroup Support"
3⤵
- Launches sc.exe
PID:1800

C:\Windows\SysWOW64\sc.exe
sc delete "HomeGroup Support"
3⤵
- Launches sc.exe
PID:1432

C:\Windows\SysWOW64\sc.exe
sc stop xtfy
3⤵
- Launches sc.exe
PID:1252

C:\Windows\SysWOW64\sc.exe
sc delete xtfy
3⤵
- Launches sc.exe
PID:1176

C:\Windows\SysWOW64\sc.exe
sc stop Natioanl
3⤵
- Launches sc.exe
PID:2008

C:\Windows\SysWOW64\sc.exe
sc delete Natioanl
3⤵
- Launches sc.exe
PID:1956

C:\Windows\SysWOW64\sc.exe
sc stop Natihial
3⤵
- Launches sc.exe
PID:1812

C:\Windows\SysWOW64\sc.exe
sc delete Natihial
3⤵
- Launches sc.exe
PID:1636

C:\Windows\SysWOW64\sc.exe
sc stop "Interactive Services Detection Report"
3⤵
- Launches sc.exe
PID:1720

C:\Windows\SysWOW64\sc.exe
sc delete "Interactive Services Detection Report"
3⤵
- Launches sc.exe
PID:1308

C:\Windows\SysWOW64\sc.exe
sc stop "mssecsvc2.0"
3⤵
- Launches sc.exe
PID:1960

C:\Windows\SysWOW64\sc.exe
sc delete "mssecsvc2.0"
3⤵
- Launches sc.exe
PID:840

C:\Windows\SysWOW64\sc.exe
sc stop "mssecsvc2.1"
3⤵
- Launches sc.exe
PID:608

C:\Windows\SysWOW64\sc.exe
sc delete "mssecsvc2.1"
3⤵
- Launches sc.exe
PID:568

C:\Windows\SysWOW64\sc.exe
sc stop ServiceMais
3⤵
- Launches sc.exe
PID:480

C:\Windows\SysWOW64\sc.exe
sc delete ServiceMais
3⤵
- Launches sc.exe
PID:1728

C:\Windows\SysWOW64\sc.exe
sc stop ServiceMaims
3⤵
- Launches sc.exe
PID:1908

C:\Windows\SysWOW64\sc.exe
sc delete ServiceMaims
3⤵
- Launches sc.exe
PID:1036

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\ProgramData\dll
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1624

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\dll /d everyone
3⤵
PID:300

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Progra~1\dll
3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1884

C:\Windows\SysWOW64\cacls.exe
cacls C:\Progra~1\dll /d everyone
3⤵
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r c:\wax.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1896

C:\Windows\SysWOW64\cacls.exe
cacls c:\wax.exe /d everyone
3⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1064

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
3⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1420

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
3⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1224

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\expl0rer.exe /d everyone
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:776

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\svchost.exe /d everyone
3⤵
PID:1188

C:\Windows\SysWOW64\Wbem\WMIC.exe
Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
3⤵
- Kills process with WMI
PID:780

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updaters" /f
3⤵
PID:1696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1708

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:964

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2012

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:708

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
3⤵
- Kills process with WMI
PID:1612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1684

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:1672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im tasksche.exe
3⤵
- Kills process with taskkill
PID:608

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\tasksche.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1412

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\tasksche.exe /d everyone
3⤵
PID:1740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im srvany.exe
3⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\srvany.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1624

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\srvany.exe /d everyone
3⤵
PID:300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im WUDHostServices.exe
3⤵
- Kills process with taskkill
PID:1164

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\System32\WUDHostServices.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:844

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WUDHostServices.exe /d everyone
3⤵
PID:1896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wbmoney.exe
3⤵
- Kills process with taskkill
PID:1608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im GGtbviewer.exe
3⤵
- Kills process with taskkill
PID:1420

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Netohad.pif
3⤵
- Kills process with taskkill
PID:1312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Qrhkveb.com
3⤵
- Kills process with taskkill
PID:876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Tnntknl.com
3⤵
- Kills process with taskkill
PID:304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Snwhtdw.bat
3⤵
- Kills process with taskkill
PID:1924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dllhsot.exe
3⤵
- Kills process with taskkill
PID:908

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Tasksvr.exe
3⤵
- Kills process with taskkill
PID:1008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im serices.exe
3⤵
- Kills process with taskkill
PID:1876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im seever.exe
3⤵
- Kills process with taskkill
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im mssecsvc.exe
3⤵
- Kills process with taskkill
PID:1612

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im svchsot.exe
3⤵
- Kills process with taskkill
PID:1112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lsacs.exe
3⤵
- Kills process with taskkill
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im nsa.exe
3⤵
- Kills process with taskkill
PID:1996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im csrs.exe
3⤵
- Kills process with taskkill
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WerFault.exe
3⤵
- Kills process with taskkill
PID:1908

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
- Kills process with taskkill
PID:1488

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im NV-NO.exe
3⤵
- Kills process with taskkill
PID:844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im NV.exe
3⤵
- Kills process with taskkill
PID:1968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
3⤵
- Kills process with taskkill
PID:912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
3⤵
- Kills process with taskkill
PID:1068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
3⤵
- Kills process with taskkill
PID:468

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\system\\explorer.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\Fonts\\explorer.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1708

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1432

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f
3⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f
3⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f
3⤵
PID:268

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe" /f
3⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe" /f
3⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lservice.exe
3⤵
- Kills process with taskkill
PID:764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ystmss.exe
3⤵
- Kills process with taskkill
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im wuauc1t.exe
3⤵
- Kills process with taskkill
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\demo.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
3⤵
- Launches sc.exe
PID:1176

C:\Windows\SysWOW64\sc.exe
sc start Schedule
3⤵
- Launches sc.exe
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn RavTask /f
3⤵
PID:708

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn GooglePinginConfigs /f
3⤵
PID:520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 240 /tn "RavTask" /tr "C:\windows\IIS\free.bat" /ru "system" /f
3⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "GooglePinginConfigs" /tr "C:\windows\IIS\CPUInfo.exe" /sc onstart /ru "system" /f
3⤵
- Creates scheduled task(s)
PID:688

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\RavTask.job
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1204

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\GooglePinginConfigs.job
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:300

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /tn "RavTask"
3⤵
PID:1608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
- Deletes itself
PID:1512

C:\Windows\system32\taskeng.exe
taskeng.exe {F8803003-212D-422F-861F-EFCF9BD9F0B0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1912

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\windows\IIS\free.bat"
2⤵
PID:1944

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1472

C:\Windows\system32\taskkill.exe
taskkill /f /t /im NV-NO.exe
3⤵
- Kills process with taskkill
PID:792

C:\Windows\system32\taskkill.exe
taskkill /f /t /im NV.exe
3⤵
- Kills process with taskkill
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
3⤵
- Kills process with taskkill
PID:1900

C:\Windows\system32\taskkill.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
3⤵
- Kills process with taskkill
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
3⤵
- Kills process with taskkill
PID:1068

C:\Windows\system32\taskkill.exe
taskkill /f /im mysqld.exe
3⤵
- Kills process with taskkill
PID:468

C:\Windows\system32\taskkill.exe
taskkill /f /im CPUInfo.exe
3⤵
- Kills process with taskkill
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /f /im jvav.exe
3⤵
- Kills process with taskkill
PID:2008

C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:1812

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GooglePinginConfigs"
3⤵
PID:708

C:\windows\IIS\CPUInfo.exe
C:\windows\IIS\CPUInfo.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

2

T1158

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Hidden Files and Directories

2

T1158

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
ef1c7052536cd8a4ed2912e520c2a730

SHA1
372c30cd30ec0ba499ed497453295bb84e89b86b

SHA256
060183c7d23452e3f89d914049218eae7e84ce725e10d315638dc644a23873fc

SHA512
7bdc914f8e002fc6141cdab3b4619a54735555ccb8fd508a57d341bfe2967f159b464b35954a120fdd38b6e9422663511964367fbfea07994f2653d9b9f85fae

Download Submit
C:\Windows\IIS\CPUInfo.exe
Filesize
5.3MB

MD5
1065f9b7c189f4a22d7f11626f16b976

SHA1
562ea85b1d91f08448b2885d8346231f311d656f

SHA256
3889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0

SHA512
bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41

Download Submit
C:\windows\IIS\CPUInfo.exe
Filesize
5.3MB

MD5
1065f9b7c189f4a22d7f11626f16b976

SHA1
562ea85b1d91f08448b2885d8346231f311d656f

SHA256
3889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0

SHA512
bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41

Download Submit
C:\windows\IIS\free.bat
Filesize
379B

MD5
857fc3145d5aee4399bf6c9fd9dc8245

SHA1
18c27ecbebc5a3095e95690f2399c7b5e92e40fd

SHA256
2401f4b6f34644668ee50911fb7e9d51c82b65776eea940f0e8e16ff9ec9d68e

SHA512
289da4490f7623cca94adb6f19006dfa5628a1080ac963199e05fdca65a1f2d7db888f5aa63ee264c5c6c781cb802e8a8d07cec14c8ab4cf7be2ad07516caf35

Download Submit
\??\c:\windows\demc.bat
Filesize
7KB

MD5
a17bd95441d3fa37660e87842dc896aa

SHA1
83951f95e5739593ac0a2d71b56075509298e542

SHA256
3457579ecd591d2905e833be4aa7215e0302623447c1072bb55586c4a0284203

SHA512
bd7cb5dbc9f11ace523bc89486b8d097f6c092a9f09b1dc847d7b4854db7f42a292aef20bd4d3d89a743f67607ebb0156327644def83fd5ea30c239297e53b1f

Download Submit
\??\c:\windows\demo.bat
Filesize
511B

MD5
11275993a1a8f44371ab48820422b273

SHA1
01a96b635ffea21d3d7ac6c4694ce1da25bcbb33

SHA256
59f0d74e831cbd6b08b14e7c4efbe383b0ea8b7463fda81c35acee799c983e6e

SHA512
db1df17de51e48d18cfc145983b1d9851e94f9fc908e99d5534516b81677e1e8c353d438422b45fd9702b85e0d9103297a86313b6bdc654703f01f23f4aab74c

Download Submit
memory/300-102-0x0000000000000000-mapping.dmp

Download
memory/304-109-0x0000000000000000-mapping.dmp

Download
memory/428-77-0x0000000000000000-mapping.dmp

Download
memory/480-125-0x0000000000000000-mapping.dmp

Download
memory/520-64-0x0000000000000000-mapping.dmp

Download
memory/520-89-0x0000000000000000-mapping.dmp

Download
memory/560-79-0x0000000000000000-mapping.dmp

Download
memory/568-124-0x0000000000000000-mapping.dmp

Download
memory/608-123-0x0000000000000000-mapping.dmp

Download
memory/688-78-0x0000000000000000-mapping.dmp

Download
memory/708-63-0x0000000000000000-mapping.dmp

Download
memory/764-98-0x0000000000000000-mapping.dmp

Download
memory/840-122-0x0000000000000000-mapping.dmp

Download
memory/840-94-0x0000000000000000-mapping.dmp

Download
memory/852-60-0x0000000000000000-mapping.dmp

Download
memory/876-108-0x0000000000000000-mapping.dmp

Download
memory/908-83-0x0000000000000000-mapping.dmp

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1068-75-0x0000000000000000-mapping.dmp

Download
memory/1068-106-0x0000000000000000-mapping.dmp

Download
memory/1072-74-0x0000000000000000-mapping.dmp

Download
memory/1076-84-0x0000000000000000-mapping.dmp

Download
memory/1080-55-0x0000000000000000-mapping.dmp

Download
memory/1096-86-0x0000000000000000-mapping.dmp

Download
memory/1108-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1108-57-0x0000000000400000-0x0000000000A2E000-memory.dmp

Filesize
6.2MB

Download
memory/1108-68-0x0000000000400000-0x0000000000A2E000-memory.dmp

Filesize
6.2MB

Download
memory/1116-103-0x0000000000000000-mapping.dmp

Download
memory/1116-72-0x0000000000000000-mapping.dmp

Download
memory/1160-65-0x0000000000000000-mapping.dmp

Download
memory/1160-107-0x0000000000000000-mapping.dmp

Download
memory/1176-114-0x0000000000000000-mapping.dmp

Download
memory/1176-61-0x0000000000000000-mapping.dmp

Download
memory/1204-101-0x0000000000000000-mapping.dmp

Download
memory/1252-113-0x0000000000000000-mapping.dmp

Download
memory/1308-120-0x0000000000000000-mapping.dmp

Download
memory/1376-87-0x0000000000000000-mapping.dmp

Download
memory/1412-69-0x0000000000000000-mapping.dmp

Download
memory/1420-105-0x0000000000000000-mapping.dmp

Download
memory/1432-112-0x0000000000000000-mapping.dmp

Download
memory/1464-93-0x0000000000000000-mapping.dmp

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1608-104-0x0000000000000000-mapping.dmp

Download
memory/1612-90-0x0000000000000000-mapping.dmp

Download
memory/1624-100-0x0000000000000000-mapping.dmp

Download
memory/1624-71-0x0000000000000000-mapping.dmp

Download
memory/1628-129-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/1628-135-0x00000000777B0000-0x0000000077930000-memory.dmp

Filesize
1.5MB

Download
memory/1628-133-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/1628-132-0x00000000777B0000-0x0000000077930000-memory.dmp

Filesize
1.5MB

Download
memory/1628-134-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/1628-131-0x0000000000400000-0x0000000000F53000-memory.dmp

Filesize
11.3MB

Download
memory/1636-118-0x0000000000000000-mapping.dmp

Download
memory/1684-91-0x0000000000000000-mapping.dmp

Download
memory/1708-80-0x0000000000000000-mapping.dmp

Download
memory/1720-119-0x0000000000000000-mapping.dmp

Download
memory/1744-85-0x0000000000000000-mapping.dmp

Download
memory/1800-81-0x0000000000000000-mapping.dmp

Download
memory/1800-111-0x0000000000000000-mapping.dmp

Download
memory/1812-117-0x0000000000000000-mapping.dmp

Download
memory/1812-88-0x0000000000000000-mapping.dmp

Download
memory/1824-99-0x0000000000000000-mapping.dmp

Download
memory/1832-82-0x0000000000000000-mapping.dmp

Download
memory/1884-73-0x0000000000000000-mapping.dmp

Download
memory/1912-76-0x0000000000000000-mapping.dmp

Download
memory/1924-110-0x0000000000000000-mapping.dmp

Download
memory/1956-116-0x0000000000000000-mapping.dmp

Download
memory/1960-121-0x0000000000000000-mapping.dmp

Download
memory/1996-96-0x0000000000000000-mapping.dmp

Download
memory/2008-115-0x0000000000000000-mapping.dmp

Download
memory/2024-92-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download
memory/2044-95-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads