Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
Resource
win7-20220812-en
General
-
Target
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
-
Size
102KB
-
MD5
b9c7ff14fb297f70fbda656a683b5dff
-
SHA1
27704707d62f0a724172af81b62a6f86e100864e
-
SHA256
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f
-
SHA512
33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb
-
SSDEEP
1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1520 takeown.exe 1684 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1008 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1520 takeown.exe 1684 icacls.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe -
Drops file in System32 directory 18 IoCs
Processes:
svchost.exesvchost.exesvchost.exeregsvr32.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0D974FB4DC3536B9035FD604565AB7_8EE5A18D15589360FEDCA1006FF231FD svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02kzojjjmrciekyt\DeviceId = "<Data LastUpdatedTime=\"1662030033\"><User username=\"02KZOJJJMRCIEKYT\"><HardwareInfo BoundTime=\"1662030034\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02kzojjjmrciekyt\DeviceId = "<Data LastUpdatedTime=\"1662030033\"><User username=\"02KZOJJJMRCIEKYT\"><HardwareInfo BoundTime=\"1670116038\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"41533\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018000AA3474A5F" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
regsvr32.exepid process 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
regsvr32.exetakeown.exesvchost.exedescription pid process Token: SeDebugPrivilege 1008 regsvr32.exe Token: SeTakeOwnershipPrivilege 1520 takeown.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
svchost.exepid process 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exeregsvr32.exedescription pid process target process PID 4904 wrote to memory of 1008 4904 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 4904 wrote to memory of 1008 4904 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 4904 wrote to memory of 1008 4904 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1008 wrote to memory of 1520 1008 regsvr32.exe takeown.exe PID 1008 wrote to memory of 1520 1008 regsvr32.exe takeown.exe PID 1008 wrote to memory of 1520 1008 regsvr32.exe takeown.exe PID 1008 wrote to memory of 1684 1008 regsvr32.exe icacls.exe PID 1008 wrote to memory of 1684 1008 regsvr32.exe icacls.exe PID 1008 wrote to memory of 1684 1008 regsvr32.exe icacls.exe PID 1008 wrote to memory of 764 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 764 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 888 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 888 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 936 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 936 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 428 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 428 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 424 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 424 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 688 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 688 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1028 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1028 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1048 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1048 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1120 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1120 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1196 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1196 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1216 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1216 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1264 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1264 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1352 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1352 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1400 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1400 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1428 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1428 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1448 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1448 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1504 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1504 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1592 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1592 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1632 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1632 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1640 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1640 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1660 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1660 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1808 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1808 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1816 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1816 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1900 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1900 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1908 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1908 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 2016 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 2016 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 2040 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 2040 1008 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1316 1008 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmpFilesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmpFilesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD56cb6f408a64107b900c3f4c0033dfe43
SHA13dd2778c9a17b45b1f95d070faa5e263be52f251
SHA256bc8d570c036717b95163006a45fa2854044541fd0daeda675dc0a8372e920e65
SHA51207c5a9ec4aef450d4ebdd52f0a013506080feaea0ab979d074ea74abc57fc9dc79703038a65236accae72f1381e91183dfec3e4af0d5448e76f385c1b94377d8
-
memory/1008-132-0x0000000000000000-mapping.dmp
-
memory/1520-135-0x0000000000000000-mapping.dmp
-
memory/1684-136-0x0000000000000000-mapping.dmp
-
memory/1804-185-0x0000000000000000-mapping.dmp
-
memory/4892-186-0x0000000000000000-mapping.dmp