Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
Resource
win7-20220812-en
General
-
Target
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
-
Size
102KB
-
MD5
b9c7ff14fb297f70fbda656a683b5dff
-
SHA1
27704707d62f0a724172af81b62a6f86e100864e
-
SHA256
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f
-
SHA512
33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb
-
SSDEEP
1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
pid Process 1520 takeown.exe 1684 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe -
Loads dropped DLL 1 IoCs
pid Process 1008 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1520 takeown.exe 1684 icacls.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0D974FB4DC3536B9035FD604565AB7_8EE5A18D15589360FEDCA1006FF231FD svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02kzojjjmrciekyt\DeviceId = "<Data LastUpdatedTime=\"1662030033\"><User username=\"02KZOJJJMRCIEKYT\"><HardwareInfo BoundTime=\"1662030034\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02kzojjjmrciekyt\DeviceId = "<Data LastUpdatedTime=\"1662030033\"><User username=\"02KZOJJJMRCIEKYT\"><HardwareInfo BoundTime=\"1670116038\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"41533\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018000AA3474A5F" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1008 regsvr32.exe Token: SeTakeOwnershipPrivilege 1520 takeown.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe Token: SeLoadDriverPrivilege 2792 svchost.exe Token: SeSystemtimePrivilege 2792 svchost.exe Token: SeBackupPrivilege 2792 svchost.exe Token: SeRestorePrivilege 2792 svchost.exe Token: SeShutdownPrivilege 2792 svchost.exe Token: SeSystemEnvironmentPrivilege 2792 svchost.exe Token: SeUndockPrivilege 2792 svchost.exe Token: SeManageVolumePrivilege 2792 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2792 svchost.exe Token: SeIncreaseQuotaPrivilege 2792 svchost.exe Token: SeSecurityPrivilege 2792 svchost.exe Token: SeTakeOwnershipPrivilege 2792 svchost.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4904 wrote to memory of 1008 4904 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 81 PID 4904 wrote to memory of 1008 4904 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 81 PID 4904 wrote to memory of 1008 4904 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 81 PID 1008 wrote to memory of 1520 1008 regsvr32.exe 82 PID 1008 wrote to memory of 1520 1008 regsvr32.exe 82 PID 1008 wrote to memory of 1520 1008 regsvr32.exe 82 PID 1008 wrote to memory of 1684 1008 regsvr32.exe 84 PID 1008 wrote to memory of 1684 1008 regsvr32.exe 84 PID 1008 wrote to memory of 1684 1008 regsvr32.exe 84 PID 1008 wrote to memory of 764 1008 regsvr32.exe 8 PID 1008 wrote to memory of 764 1008 regsvr32.exe 8 PID 1008 wrote to memory of 888 1008 regsvr32.exe 12 PID 1008 wrote to memory of 888 1008 regsvr32.exe 12 PID 1008 wrote to memory of 936 1008 regsvr32.exe 10 PID 1008 wrote to memory of 936 1008 regsvr32.exe 10 PID 1008 wrote to memory of 428 1008 regsvr32.exe 11 PID 1008 wrote to memory of 428 1008 regsvr32.exe 11 PID 1008 wrote to memory of 424 1008 regsvr32.exe 14 PID 1008 wrote to memory of 424 1008 regsvr32.exe 14 PID 1008 wrote to memory of 688 1008 regsvr32.exe 16 PID 1008 wrote to memory of 688 1008 regsvr32.exe 16 PID 1008 wrote to memory of 1028 1008 regsvr32.exe 17 PID 1008 wrote to memory of 1028 1008 regsvr32.exe 17 PID 1008 wrote to memory of 1048 1008 regsvr32.exe 19 PID 1008 wrote to memory of 1048 1008 regsvr32.exe 19 PID 1008 wrote to memory of 1120 1008 regsvr32.exe 18 PID 1008 wrote to memory of 1120 1008 regsvr32.exe 18 PID 1008 wrote to memory of 1196 1008 regsvr32.exe 20 PID 1008 wrote to memory of 1196 1008 regsvr32.exe 20 PID 1008 wrote to memory of 1216 1008 regsvr32.exe 21 PID 1008 wrote to memory of 1216 1008 regsvr32.exe 21 PID 1008 wrote to memory of 1264 1008 regsvr32.exe 22 PID 1008 wrote to memory of 1264 1008 regsvr32.exe 22 PID 1008 wrote to memory of 1352 1008 regsvr32.exe 23 PID 1008 wrote to memory of 1352 1008 regsvr32.exe 23 PID 1008 wrote to memory of 1400 1008 regsvr32.exe 24 PID 1008 wrote to memory of 1400 1008 regsvr32.exe 24 PID 1008 wrote to memory of 1428 1008 regsvr32.exe 25 PID 1008 wrote to memory of 1428 1008 regsvr32.exe 25 PID 1008 wrote to memory of 1448 1008 regsvr32.exe 26 PID 1008 wrote to memory of 1448 1008 regsvr32.exe 26 PID 1008 wrote to memory of 1504 1008 regsvr32.exe 27 PID 1008 wrote to memory of 1504 1008 regsvr32.exe 27 PID 1008 wrote to memory of 1592 1008 regsvr32.exe 28 PID 1008 wrote to memory of 1592 1008 regsvr32.exe 28 PID 1008 wrote to memory of 1632 1008 regsvr32.exe 29 PID 1008 wrote to memory of 1632 1008 regsvr32.exe 29 PID 1008 wrote to memory of 1640 1008 regsvr32.exe 79 PID 1008 wrote to memory of 1640 1008 regsvr32.exe 79 PID 1008 wrote to memory of 1660 1008 regsvr32.exe 78 PID 1008 wrote to memory of 1660 1008 regsvr32.exe 78 PID 1008 wrote to memory of 1808 1008 regsvr32.exe 77 PID 1008 wrote to memory of 1808 1008 regsvr32.exe 77 PID 1008 wrote to memory of 1816 1008 regsvr32.exe 76 PID 1008 wrote to memory of 1816 1008 regsvr32.exe 76 PID 1008 wrote to memory of 1900 1008 regsvr32.exe 30 PID 1008 wrote to memory of 1900 1008 regsvr32.exe 30 PID 1008 wrote to memory of 1908 1008 regsvr32.exe 75 PID 1008 wrote to memory of 1908 1008 regsvr32.exe 75 PID 1008 wrote to memory of 2016 1008 regsvr32.exe 74 PID 1008 wrote to memory of 2016 1008 regsvr32.exe 74 PID 1008 wrote to memory of 2040 1008 regsvr32.exe 73 PID 1008 wrote to memory of 2040 1008 regsvr32.exe 73 PID 1008 wrote to memory of 1316 1008 regsvr32.exe 72
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:764
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4892
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2344
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:3288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:4184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:60
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1316
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684
-
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵PID:1804
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
Filesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD56cb6f408a64107b900c3f4c0033dfe43
SHA13dd2778c9a17b45b1f95d070faa5e263be52f251
SHA256bc8d570c036717b95163006a45fa2854044541fd0daeda675dc0a8372e920e65
SHA51207c5a9ec4aef450d4ebdd52f0a013506080feaea0ab979d074ea74abc57fc9dc79703038a65236accae72f1381e91183dfec3e4af0d5448e76f385c1b94377d8