a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5

General

Target

a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe
Size

102KB
MD5

a7591dfb57df7926c9e081bc71b79b6a
SHA1

0d294dfc85b2fff024743da49d54926d6340392a
SHA256

a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5
SHA512

37f26ec7dd00154ac0f8bb28fef9eae506867debc0ec401693e5e304e4b0679c5f6f4216a36e953b854e25d3cac361968c7d5da038bb85f67fff1729dd74cfc4
SSDEEP

1536:MIm5q1G27NKjwO5rF1EhByNLjXXXXXXHP2HmAXwVlQJHCBiIthuDf:zm+Kjwyr3EByNHYmAXwMiU+m

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1412 takeown.exe
1396 icacls.exe

pid	process
1412	takeown.exe
1396	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3444 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1412 takeown.exe
1396 icacls.exe

pid	process
3444	regsvr32.exe

pid	process
1412	takeown.exe
1396	icacls.exe

Drops file in System32 directory 8 IoCs

Processes:

regsvr32.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B363E346B43755F918E68AC3AA10D686_CB2DAFAB6EE03787052102F615BBFDF2	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188008E0BCAF36"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 8 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133148329578601468"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133148330189890815"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133148330577547514"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

regsvr32.exe

pid process

3444 regsvr32.exe
3444 regsvr32.exe
3444 regsvr32.exe
3444 regsvr32.exe
3444 regsvr32.exe
3444 regsvr32.exe
3444 regsvr32.exe
3444 regsvr32.exe

pid	process
3444	regsvr32.exe
3444	regsvr32.exe
3444	regsvr32.exe
3444	regsvr32.exe
3444	regsvr32.exe
3444	regsvr32.exe
3444	regsvr32.exe
3444	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

regsvr32.exetakeown.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3444	regsvr32.exe
Token: SeTakeOwnershipPrivilege	1412	takeown.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2612	svchost.exe
Token: SeIncreaseQuotaPrivilege	2612	svchost.exe
Token: SeSecurityPrivilege	2612	svchost.exe
Token: SeTakeOwnershipPrivilege	2612	svchost.exe
Token: SeLoadDriverPrivilege	2612	svchost.exe
Token: SeSystemtimePrivilege	2612	svchost.exe
Token: SeBackupPrivilege	2612	svchost.exe
Token: SeRestorePrivilege	2612	svchost.exe
Token: SeShutdownPrivilege	2612	svchost.exe
Token: SeSystemEnvironmentPrivilege	2612	svchost.exe
Token: SeUndockPrivilege	2612	svchost.exe
Token: SeManageVolumePrivilege	2612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2612	svchost.exe
Token: SeIncreaseQuotaPrivilege	2612	svchost.exe
Token: SeSecurityPrivilege	2612	svchost.exe
Token: SeTakeOwnershipPrivilege	2612	svchost.exe
Token: SeLoadDriverPrivilege	2612	svchost.exe
Token: SeSystemtimePrivilege	2612	svchost.exe
Token: SeBackupPrivilege	2612	svchost.exe
Token: SeRestorePrivilege	2612	svchost.exe
Token: SeShutdownPrivilege	2612	svchost.exe
Token: SeSystemEnvironmentPrivilege	2612	svchost.exe
Token: SeUndockPrivilege	2612	svchost.exe
Token: SeManageVolumePrivilege	2612	svchost.exe
Token: SeAuditPrivilege	2640	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2612	svchost.exe
Token: SeIncreaseQuotaPrivilege	2612	svchost.exe
Token: SeSecurityPrivilege	2612	svchost.exe
Token: SeTakeOwnershipPrivilege	2612	svchost.exe
Token: SeLoadDriverPrivilege	2612	svchost.exe
Token: SeSystemtimePrivilege	2612	svchost.exe
Token: SeBackupPrivilege	2612	svchost.exe
Token: SeRestorePrivilege	2612	svchost.exe
Token: SeShutdownPrivilege	2612	svchost.exe
Token: SeSystemEnvironmentPrivilege	2612	svchost.exe
Token: SeUndockPrivilege	2612	svchost.exe
Token: SeManageVolumePrivilege	2612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2612	svchost.exe
Token: SeIncreaseQuotaPrivilege	2612	svchost.exe
Token: SeSecurityPrivilege	2612	svchost.exe
Token: SeTakeOwnershipPrivilege	2612	svchost.exe
Token: SeLoadDriverPrivilege	2612	svchost.exe
Token: SeSystemtimePrivilege	2612	svchost.exe
Token: SeBackupPrivilege	2612	svchost.exe
Token: SeRestorePrivilege	2612	svchost.exe
Token: SeShutdownPrivilege	2612	svchost.exe
Token: SeSystemEnvironmentPrivilege	2612	svchost.exe
Token: SeUndockPrivilege	2612	svchost.exe
Token: SeManageVolumePrivilege	2612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2612	svchost.exe
Token: SeIncreaseQuotaPrivilege	2612	svchost.exe
Token: SeSecurityPrivilege	2612	svchost.exe
Token: SeTakeOwnershipPrivilege	2612	svchost.exe
Token: SeLoadDriverPrivilege	2612	svchost.exe
Token: SeSystemtimePrivilege	2612	svchost.exe
Token: SeBackupPrivilege	2612	svchost.exe
Token: SeRestorePrivilege	2612	svchost.exe
Token: SeShutdownPrivilege	2612	svchost.exe

Suspicious use of UnmapMainImage 5 IoCs

Processes:

svchost.exe

pid process

2520 svchost.exe
2520 svchost.exe
2520 svchost.exe
2520 svchost.exe
2520 svchost.exe

pid	process
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exeregsvr32.exe

description	pid	process	target process
PID 3808 wrote to memory of 3444	3808	a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe	regsvr32.exe
PID 3808 wrote to memory of 3444	3808	a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe	regsvr32.exe
PID 3808 wrote to memory of 3444	3808	a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe	regsvr32.exe
PID 3444 wrote to memory of 1412	3444	regsvr32.exe	takeown.exe
PID 3444 wrote to memory of 1412	3444	regsvr32.exe	takeown.exe
PID 3444 wrote to memory of 1412	3444	regsvr32.exe	takeown.exe
PID 3444 wrote to memory of 1396	3444	regsvr32.exe	icacls.exe
PID 3444 wrote to memory of 1396	3444	regsvr32.exe	icacls.exe
PID 3444 wrote to memory of 1396	3444	regsvr32.exe	icacls.exe
PID 3444 wrote to memory of 784	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 784	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 908	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 908	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 956	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 956	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 524	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 524	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 740	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 740	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1032	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1032	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1056	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1056	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1072	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1072	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1092	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1092	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1112	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1112	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1256	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1256	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1284	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1284	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1312	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1312	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1464	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1464	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1476	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1476	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1496	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1496	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1576	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1576	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1600	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1600	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1624	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1624	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1636	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1636	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1732	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1732	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1740	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1740	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1860	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1860	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1868	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1868	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1928	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1928	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1940	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1940	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1664	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 1664	3444	regsvr32.exe	svchost.exe
PID 3444 wrote to memory of 2116	3444	regsvr32.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:968

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:3820

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe
"C:\Users\Admin\AppData\Local\Temp\a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e570976~.tmp ,C:\Users\Admin\AppData\Local\Temp\a29223d6d22ebbfc9ff68bc41af05b3509843a390b1e3f1a883b829f4007e1b5.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
3⤵
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e570976~.tmp
Filesize
960KB

MD5
4fcda51d0638eaefde8562ec2a44ed11

SHA1
9d4f9c78f06e85f53ae8acec0b5e433e0203569a

SHA256
84172de4b1d0eeb8fb22e77c6ac8f32c203c37eff65b6a1894296ecf30278cbc

SHA512
655b796ac553a2dd6fc53188c74c88aa4fc32865a2842e30330b11c1c4d51ae59774be7254ca207257b32b971942bbc31c46f841ea60f2f5b2870cabedbc79af

Download Submit
C:\Users\Admin\AppData\Local\Temp\e570976~.tmp
Filesize
960KB

MD5
4fcda51d0638eaefde8562ec2a44ed11

SHA1
9d4f9c78f06e85f53ae8acec0b5e433e0203569a

SHA256
84172de4b1d0eeb8fb22e77c6ac8f32c203c37eff65b6a1894296ecf30278cbc

SHA512
655b796ac553a2dd6fc53188c74c88aa4fc32865a2842e30330b11c1c4d51ae59774be7254ca207257b32b971942bbc31c46f841ea60f2f5b2870cabedbc79af

Download Submit
memory/968-184-0x0000000000000000-mapping.dmp

Download
memory/1396-136-0x0000000000000000-mapping.dmp

Download
memory/1412-135-0x0000000000000000-mapping.dmp

Download
memory/1672-183-0x0000000000000000-mapping.dmp

Download
memory/3196-186-0x0000000000000000-mapping.dmp

Download
memory/3444-132-0x0000000000000000-mapping.dmp

Download
memory/3820-185-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads