be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f

General

Target

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
Size

102KB
MD5

b9c7ff14fb297f70fbda656a683b5dff
SHA1

27704707d62f0a724172af81b62a6f86e100864e
SHA256

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f
SHA512

33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb
SSDEEP

1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1520 takeown.exe
1684 icacls.exe

pid	process
1520	takeown.exe
1684	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1008 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1520 takeown.exe
1684 icacls.exe

pid	process
1520	takeown.exe
1684	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe

Drops file in System32 directory 18 IoCs

Processes:

svchost.exesvchost.exesvchost.exeregsvr32.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0D974FB4DC3536B9035FD604565AB7_8EE5A18D15589360FEDCA1006FF231FD	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02kzojjjmrciekyt\DeviceId = "<Data LastUpdatedTime=\"1662030033\"><User username=\"02KZOJJJMRCIEKYT\"><HardwareInfo BoundTime=\"1662030034\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02kzojjjmrciekyt\DeviceId = "<Data LastUpdatedTime=\"1662030033\"><User username=\"02KZOJJJMRCIEKYT\"><HardwareInfo BoundTime=\"1670116038\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"41533\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018000AA3474A5F"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

regsvr32.exe

pid	process
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe
1008	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

regsvr32.exetakeown.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1008	regsvr32.exe
Token: SeTakeOwnershipPrivilege	1520	takeown.exe
Token: SeAssignPrimaryTokenPrivilege	2792	svchost.exe
Token: SeIncreaseQuotaPrivilege	2792	svchost.exe
Token: SeSecurityPrivilege	2792	svchost.exe
Token: SeTakeOwnershipPrivilege	2792	svchost.exe
Token: SeLoadDriverPrivilege	2792	svchost.exe
Token: SeBackupPrivilege	2792	svchost.exe
Token: SeRestorePrivilege	2792	svchost.exe
Token: SeShutdownPrivilege	2792	svchost.exe
Token: SeSystemEnvironmentPrivilege	2792	svchost.exe
Token: SeManageVolumePrivilege	2792	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2792	svchost.exe
Token: SeIncreaseQuotaPrivilege	2792	svchost.exe
Token: SeSecurityPrivilege	2792	svchost.exe
Token: SeTakeOwnershipPrivilege	2792	svchost.exe
Token: SeLoadDriverPrivilege	2792	svchost.exe
Token: SeSystemtimePrivilege	2792	svchost.exe
Token: SeBackupPrivilege	2792	svchost.exe
Token: SeRestorePrivilege	2792	svchost.exe
Token: SeShutdownPrivilege	2792	svchost.exe
Token: SeSystemEnvironmentPrivilege	2792	svchost.exe
Token: SeUndockPrivilege	2792	svchost.exe
Token: SeManageVolumePrivilege	2792	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2792	svchost.exe
Token: SeIncreaseQuotaPrivilege	2792	svchost.exe
Token: SeSecurityPrivilege	2792	svchost.exe
Token: SeTakeOwnershipPrivilege	2792	svchost.exe
Token: SeLoadDriverPrivilege	2792	svchost.exe
Token: SeSystemtimePrivilege	2792	svchost.exe
Token: SeBackupPrivilege	2792	svchost.exe
Token: SeRestorePrivilege	2792	svchost.exe
Token: SeShutdownPrivilege	2792	svchost.exe
Token: SeSystemEnvironmentPrivilege	2792	svchost.exe
Token: SeUndockPrivilege	2792	svchost.exe
Token: SeManageVolumePrivilege	2792	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2792	svchost.exe
Token: SeIncreaseQuotaPrivilege	2792	svchost.exe
Token: SeSecurityPrivilege	2792	svchost.exe
Token: SeTakeOwnershipPrivilege	2792	svchost.exe
Token: SeLoadDriverPrivilege	2792	svchost.exe
Token: SeSystemtimePrivilege	2792	svchost.exe
Token: SeBackupPrivilege	2792	svchost.exe
Token: SeRestorePrivilege	2792	svchost.exe
Token: SeShutdownPrivilege	2792	svchost.exe
Token: SeSystemEnvironmentPrivilege	2792	svchost.exe
Token: SeUndockPrivilege	2792	svchost.exe
Token: SeManageVolumePrivilege	2792	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2792	svchost.exe
Token: SeIncreaseQuotaPrivilege	2792	svchost.exe
Token: SeSecurityPrivilege	2792	svchost.exe
Token: SeTakeOwnershipPrivilege	2792	svchost.exe
Token: SeLoadDriverPrivilege	2792	svchost.exe
Token: SeSystemtimePrivilege	2792	svchost.exe
Token: SeBackupPrivilege	2792	svchost.exe
Token: SeRestorePrivilege	2792	svchost.exe
Token: SeShutdownPrivilege	2792	svchost.exe
Token: SeSystemEnvironmentPrivilege	2792	svchost.exe
Token: SeUndockPrivilege	2792	svchost.exe
Token: SeManageVolumePrivilege	2792	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2792	svchost.exe
Token: SeIncreaseQuotaPrivilege	2792	svchost.exe
Token: SeSecurityPrivilege	2792	svchost.exe
Token: SeTakeOwnershipPrivilege	2792	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

svchost.exe

pid process

2704 svchost.exe
2704 svchost.exe
2704 svchost.exe
2704 svchost.exe

pid	process
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exeregsvr32.exe

description	pid	process	target process
PID 4904 wrote to memory of 1008	4904	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 4904 wrote to memory of 1008	4904	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 4904 wrote to memory of 1008	4904	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1008 wrote to memory of 1520	1008	regsvr32.exe	takeown.exe
PID 1008 wrote to memory of 1520	1008	regsvr32.exe	takeown.exe
PID 1008 wrote to memory of 1520	1008	regsvr32.exe	takeown.exe
PID 1008 wrote to memory of 1684	1008	regsvr32.exe	icacls.exe
PID 1008 wrote to memory of 1684	1008	regsvr32.exe	icacls.exe
PID 1008 wrote to memory of 1684	1008	regsvr32.exe	icacls.exe
PID 1008 wrote to memory of 764	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 764	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 888	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 888	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 936	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 936	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 428	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 428	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 424	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 424	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 688	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 688	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1028	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1028	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1048	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1048	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1120	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1120	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1196	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1196	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1216	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1216	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1264	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1264	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1352	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1352	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1400	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1400	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1428	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1428	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1448	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1448	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1504	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1504	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1592	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1592	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1632	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1632	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1640	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1640	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1660	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1660	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1808	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1808	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1816	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1816	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1900	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1900	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1908	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1908	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 2016	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 2016	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 2040	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 2040	1008	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1316	1008	regsvr32.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:764

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
"C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
3⤵
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp
Filesize
960KB

MD5
848b19a65ebd0063ac098e7bb37c0641

SHA1
e45f52e30f87d1506a6ea6b611ae244d0326686f

SHA256
4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

SHA512
88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp
Filesize
960KB

MD5
848b19a65ebd0063ac098e7bb37c0641

SHA1
e45f52e30f87d1506a6ea6b611ae244d0326686f

SHA256
4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

SHA512
88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
6cb6f408a64107b900c3f4c0033dfe43

SHA1
3dd2778c9a17b45b1f95d070faa5e263be52f251

SHA256
bc8d570c036717b95163006a45fa2854044541fd0daeda675dc0a8372e920e65

SHA512
07c5a9ec4aef450d4ebdd52f0a013506080feaea0ab979d074ea74abc57fc9dc79703038a65236accae72f1381e91183dfec3e4af0d5448e76f385c1b94377d8

Download Submit
memory/1008-132-0x0000000000000000-mapping.dmp

Download
memory/1520-135-0x0000000000000000-mapping.dmp

Download
memory/1684-136-0x0000000000000000-mapping.dmp

Download
memory/1804-185-0x0000000000000000-mapping.dmp

Download
memory/4892-186-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads